Access. Youre watching live coverage. Obviously Artificial Intelligence has the lions share publicity but thats nowhere near the limit. Businesses collect or process data ranging from personally identifiable information, name, address, likenesses. Obviously Sensitive Data, browsing history. The threat to consumers data that Companies Face is complex and daunting. As Companies Collect more data they become more attractive targets for data breaches. And by that i mean criminal activity. Each breach caused Company Nearly 4. 2 per incident. How many more consumers need to be a victim of Identity Theft to take action. How longer should we allow data to be sold for profit on the dark web . Will cyber criminals be stopped or deterred from praying on our data . These breaches hurt Small Businesses, large corporations and everything in between. And 2023 alone there were 3205 breaches in the u. S. Those of the ones we know a. 353,000 individuals were severely impacted. 10 of publicly traded Company Reported a data breach impacting 143 million individuals. They could have devastating effects nationwide, wireless carriers exposed data of 70 million customers. A large Health Insurer saw their system come to a halt that delete important Healthcare Payments and exposed Critical Health data. This is why we need strong requirements for how Companies Collect and protect our data. Conducting routine Risk Assessments and establishing strong internal and external safeguards. We need a Strong National privacy standard that includes data minimization, Data Security , and establish specific categories to turn off the spigot, as it were so that Companies Collect from consumers so that companies are not just collecting everything they can. Establishes clear requirements for how company should safeguard the data that they do collect. We need to give consumers meaningful control over how data is used and restore confidence in the technology that powers our economy. And i think states clearly are not waiting for the federal government to act. 16 states, including colorado are in the process of passing their own privacy laws. Other states are talking about a. There are lessons we can learn, for example colorado has the temporary right to cure for businesses to comply or adapt privacy requirements. Their areas were the federal government has to step in and issue rules apply enforcement. Consistent definitions for key terms like Sensitive Data or to issue nationwide rules. The american privacy rights act is an important bipartisan framework for congress to build on. I commend chair cantwell and the effort to bring this proposal forward. We are committed to listening to all perspectives on Data Security. Their obviously interconnected and interrelated. Together they represent the foundation of a strong data privacy framework on which we can build we have an obligation to build meaningful bipartisan consensus around these complex issues. s why look forward to hearing today and each of our witnesses. I would like to welcome each of the witnesses joining us. James lee sam kaplan. Policy director for new Americas Open Technology Institute and jake parker. I now recognize our vice chair. Apologies for people coming and going. Im the Ranking Member and crews are on the floor. Im appreciative that the chair has brought privacy back into focus. Ive worked for over a decade for congress to take action in this area. And when senator welch and i were on the house energy and commerce committee, we brought forward the Data Security and breach bill. It was the first of the bills and it was bipartisan. It would take steps to protect the security of data from businesses. It wouldve required consumer data breach notifications and allowed the state attorney general to hold Companies Accountable for violations of the law. That is where we were in 2012. And as we now know, this issue grows more and more urgent every single day. The need for the swift adoption of smart and effective data privacy and security legislation is pressing for several reasons. China and other bad actors are not slowing down. The fbi director was before us at a Judiciary Committee meeting and he said something significant. He said if you are an american adult, its more likely than not that china has stolen your personal data. He also said chinas fast Hacking Program is the Worlds Largest and theyve stolen more americans personal and business data then any other country combined. We need to be paying attention to this. China seeks to become the world leader in Artificial Intelligence. Consumers have valid questions about how their data is going to be used to train these large language models. I hope today that we will discuss why we need federal privacy and security legislation to combat these threats. Second, congress has passed the point where he risk giving up our authority to states and other countries. State governments are quickly enacting privacy laws creating a patchwork of regulatory headaches for businesses. 15 such laws exist, including tennessee and colorado. The europeans have beaten us to the punch. Several years ago they did gdpr. They are using it as the foundation for regulating ai. Yet we can use the eu as a cautionary tale about the need to make a regulation smart and effective. I visited there last year and i heard stories from one of their Data Protection authorities about how they have been asked to resolve disputes over Bank Accounts after a couple divorced or how to resolve a dispute between neighbors about the location of an antenna. So lets not make these same mistakes and not overreach. We know the europeans have a heavier handed approach, which makes it more imperative that we act in a thoughtful manner. More without congressional action, the ftc will proceed ahead with their commercial surveillance and Data Security rulemaking, which it launched in 2022 without congressional authority. Congress should be setting these rules, not elected bureaucrat. Finally, while this hearing will feature much discussion on concepts like data minimization and other practices, we must not forget about the Cyber Security threats posed by new and emerging technologies. One area of great interest to tennessee is quantum technologies. Through methods like harvest now and decrypt later, once bad actors steel encrypted data today, nothing can stop them from decrypting it tomorrow. That is why this committee must with quickly to examine this and reauthorize the National Quantum initiative act. I would love to work on this with our chairwoman and the team here. Tennessee is a leader in financial nfh and in technologies like quantum computing. And the Oak Ridge National lab is at the forefront of basic and Applied Science research. When i speak with people in the state they ask how we can best tackle privacy and Data Security issues while also continuing to allow innovation. This committee must be thoughtful in our approach but mindful of the realities the congressional calendar imposes. I look forward to our discussion today and i appreciate the testimony from each of you. Now, we will hear opening remarks from each of our witnesses. The term witness gives a false sense of insecurity, perhaps these days. We will start with tran nine. Thank you, mr. Chairman. Im james leave and the chief operating officer of the Identity Theft just so Everybody Knows the core of our business is to provide ice assistance to those who are victims of identity crimes and we do research and analysis on trends that we make available to the public and private sector. A lot has happened since we were in this room and 2021 to talk about this subject. Weve seen bad actors shift their focus and weve seen them accelerate innovation attempts. We may be at the beginning of what is the golden age of identity crime. Its fueled by stolen personal data, made effective and efficient by ai with individuals and many businesses helpless to defend themselves. Why do i say that . We give you a scope of the problem. Data breaches are the fuel for identity crimes. And a fair portion of Cyber Attacks thanks to stolen log ins and passwords. The total number of data compromises with 3205. It impacted 353 Million People because some people were hit more than once. That is a 78 increase from the year before. Its a 72 increase from the previous high which happened the last time we had this hearing. From a financial standpoint, more than two thirds of the people who contact the itrc are losing more than 500. Within that subset 30 of them are losing more than 10,000 and we routinely hear from people losings six and seven figures. The most troubling trend is people that decided that their only way out is selfharm. 60 of people who contacted us that they contemplated taking their own life. For decades before that, that number was never higher than 2 to 4 . Now 16 and we do not see it slowing down. We now hear routinely from families who are still being attacked by the identity criminals who try to keep the scam going. We do not advocate one where the other for legislation, but we provide information. We are still the same place we were the last time. The best way to help victims is to prevent victimization in the first place. An important part of preventing that is three uniform minimum standards for Data Protection. And technical and nontechnical standards are essential in a world driven by software and data. Compliance with comprehensive but not necessarily prescriptive minimum standards can reduce the risk of exploitation and they are more than just metrics. They are practices like data minimization, which is a concept predicated on a simple truth. If you dont have the data, you cannot lose it. And if it is secure, it cannot be misused until we get to quantum computing. Routine Risk Assessments help ensure Information Systems are secure in a manner equal to the risk. That is important. Equal to the risk that an organization faces. You have privacy by design and security by default. And have all the tools needed to keep private he privacy and security at the forefront of their culture and every stage of a products life. To be effective in reducing identity crimes, uniform standards need strong enforcement and defenders must measure progress and constantly adjust to the new task and you do that through audits. There also strong Enforcement Actions when it comes to data breach notices were increasingly ineffective. Even if he noticed his issue. The first three months of this year 32 32 of data breach notices had some information about what caused the date of breach. Reverse that number and it tells you how many did not include information about what happened. That number was 100 of data breach notices until the Fourth Quarter of 2021. The average number of new data breach notices in the u. S. Is nine per day. In the eu, 335 every day. We are missing notices. Let me leave you with a final thought. If we adopt data minimization, and if we give consumers more access and control, its a vital part of Data Protection. They can significantly reduce the amount of personal information at risk of a data breach and misuse by criminals. Personal information used responsibly is important for proving a person is who they claim to be from opening a bank account to applying for government benefit. But they prevent someone from becoming a victim of Identity Fraud because of stolen personal information. Restricting the use is part of consumer control or data minimization could have the unintended effect of aiding identity criminals and negatively impacting communities that are disproportionately affected by identity crisis. Thank you for your time and i look forward to your questions. Mr. Kaplan, the assistant general counsel at Palo Alto Networks and has spent a considerable amount of time in colorado. Thank you, senator. Thank you for the opportunity to testify on how Cyber Security is a critical and foundational element of Data Security and Consumer Protection. My name is sam kaplan and im the assistant general counsel for Public Policy and Public Affairs at Palo Alto Networks. I spent the bulk of my career working at the intersection of National Security, data privacy, and i was proud to serve a number of positions across the federal government to include the dhs chief privacy officer. And at the u. S. Department of justice. We were founded in 2005 and has since become the leading Cyber Security company. This means that we have a deep and broad disability into the cyber landscape. We are committed to being a cyber citizen and a trusted partner of the federal government. It does no question that they cause disruptions to our regular lives like healthcare or Emergency Services to compromises of americans Sensitive Data. With that backdrop, Palo Alto Network strongly believes that deploying cuttingedge Cyber Security defenses is a necessary enabler of Data Security and privacy. The bottom line, effective Data Security and data privacy requires cutting edge Cyber Security protections. Organizations should be encouraged to protect data by implementing robust data and Network Security practices that can both prevent incidences and events from happening in the first place and mitigate the impact should an incident occur. To stay ahead of the evolving Threat Landscape, professionals regularly leverage security data, which is the network telemetry. The ones in the zeros. The malware analysis. The ip address. We must ingest and analyze in real time to optimize cyber defenses. To that end, we are heartened to see Cyber Security generally included in frameworks that Companies Like ours can use to collect, process, retain, and transfer security due to two in turn better protect those systems and data from compromise. Todays landscape requires that approach and everyones personal privacy will benefit from that framing. To that end, panel alters networks focus on the following actions to bolster their Cyber Resilience and increase their Data Security posture. First, leverage the posture of a. I. And automation. For too long, cyber defenders have been inundated with alerts to triage manually, which can lead to data breaches. A. I. Can help flip this paradigm. Second, ensure complete and identify and mitigate vulnerabilities before they can be exploited. Third, implement a zerotrust architecture to prevent and limit an attacker from moving laterally across the network. Fourth, promote, and secure a. I. By design, and assist with a. I. Usage, commit policy controls, and ensuring applications are built with Artificial Intelligence. Fifth, protect Cloud Infrastructure and applications. As Cloud Adoption accelerates, Cloud Security cannot be an afterthought. Sixth, maintain a Response Plan to prepare for and respond to cyber incidents. Artemi pill Alto Networks is dedicated to securing our way of life. We enthusiastically participate in a number of forums and share our Situational Awareness and understanding of the Threat Landscape with those key partners. Our collaboration reinforces that cybersecurity is truly a team sport. Thank you again for the opportunity to testify and how Cyber Security is a foundational requirement of data privacy and i look forward to your questions. Thank you, mr. Kaplan. I will now introduce tram trivedi. Ranking member blackburn, members of the committee, thank you very much for the opportunity to speak today. I am tram trivedi. A nonprofit and Nonpartisan Organization dedicated