Today. We will hear more about the budget from bernie sanders. He will be at the Brookings Institution outlining his economic agenda addressing things like wage growth, climate change, and text policy. Tax policy. The Political Landscape has changed with the 114th congress. Not only are there 43 new republicans and 50 new democrats in the house and 12 new republicans and one new democrat in the senate, there is also 108 women and commerce, including the first africanamerican republican in the house and the first woman veteran in the senate. Keep track of the members of congress using congressional conical on www. Cspan. Org. The congressional chronicle page has lots of information coming putting Voting Results and statistics for each session of congress. New congress, best access, on cspan, cspan 2, cspan radio and www. Cspan. Org. Cyber security breaches, cases where personal information were compromised, how the government can respond in the Technology Available for making breaches less likely. This is an hour and a half. Thank you for your presence. [indiscernible] i indicated this is the first subcommittee i have chaired in eight years in congress and i was nervous enough not to turn on the microphone. We look forward to being educated and getting a good understanding. First, i want to thank my colleagues and their level of interest in this important topic. I also would like to thank our witnesses for joining us today. Expertise is important to us as members of congress. Fortunately, this is a very timely topic. The purpose of this hearing is in many ways somewhat narrow. We all know we live in a digital world. They know they can make purchases, determine their credit score, determing banking and Health Care Plans from a mobile unit or tablet. That is true for consumers across the country and increasingly around the globe. But there are risks in a world where one bad actor can battle against a team of experts here in week face challenges to make certain consumers are protected. For more than a Decade CongressCommerce Committee in particular has been contemplating issues surrounding security breaches. In 2004, the Committee Held its first congressional hearing to examine the highprofile breach of choice point, a eta aggregation firm. This breach forced many conversations here in congress and today we continue that dialogue. A recent high profile data breach as well as the headline grabbing sony cyber attack late last year are the latest examples that highlight the important serious Cyber Threats that face american businesses. And just this morning, we woke up to the news of what experts are calling the Largest Healthcare breach to date. This time, the cyber criminals were able to infiltrate the nations second Largest Health insurer to steal names birth dates, medical id, Social Security numbers, email addresses, and Employment Information, including income data. These highprofile breaches are the most severe what have become common occurrence in our digital society. As of 2015, the privacy rights clearinghouse has estimated more than 4,400 breaches involving more than 932 million records that have been made public since 2005. The verizon 2014 data breach Investigation Report reviewed more than 63,000 security incidents and found 1,367 confirmed data breaches in 2013. So on average, thats just shy of four breaches every day. While congress has developed sectorspecific Data Security requirements for both companies, congress has been unable to reach consensus of the development of a national Data Security and data breach notification standards. As a result, states have taken on this task by developing their own standards and as of today, businesses are subjected to a patchwork of over 50 different state, district, territory laws that determine how businesses must notify consumers in the event of a breach. In addition, 12 states enacted laws regarding Data Security practices. The need for federal action becomes clearer each day. Last month president obama voiced his support for data breach notification legislation with Strong Language in part because he recognizes the benefits to American Consumers and businesses of a predictable uniform data breach notice. The president s support along with bipartisan congressional interest has renewed optimism among stake holders that congress can develop a balanced and thoughtful approach with legislation in the near term. Today well focus our attention on some of the key questions and topics of this debate, including what are the benefits of a national breach notification standard should should congress implement a basic Data Security standard . To whom should that standard apply . Should the federal standard preempts state standards . What should be the trigger for notification . The specific conditions that represent a potential harm to consumers. Should there be exemptions and safe harbors . If so, for who . And what circumstances . Within what time frame should a company be required to notify consumers . Should Congress Enact new or stronger penalties for enforcement authorities and remedies . What lessons can we learn from states that have implemented their own standards . Im confident that our panel its expertise can share valuable insight into those questions and others that the Committee Members may have. As we work and help us find a right balance to these issues. Id like to recognize the subcommittees Ranking Member for him to deliver his opening statement. And i would indicate to him here in public as we have in private that i look forward to working very closely with you in a very thoughtful and bipartisan way to see that our subcommittee accomplishes good thing for the country. Thank you. First of all, my than rks to senator moran for his leadership in a very bipartisan way reaching out to me and also convening this subcommittee on a critically important topic. And i really look forward to his continued insight and very thoughtful leadership on Consumer Protection issues. Im proud to serve as the Ranking Member of this very important subcommittee. I have served on this subcommittee for two years now. And it is critical to consumer issues that affect everyday americans. We have delved into the General Motors recall, the deadly airbags and more. And today, the issue of data breach is no less central to american lives, even if it seems somewhat less spectacular. 2014 was known as the year of the data breach. And the importance of this issue was brought home as senator moran said just this morning when we read about the anthem breach, which is absolutely breathtaking in its scope and scale. It is not only breathtaking but mindbending in its extent and potential impact and potentially heartbreaking for consumers who may be affected. Not only birthdays, addresses, email and Employment Information, but also Social Security numbers, and income data were taken from anthem. And potentially, although the company has said it was not theres no evidence of it so far, Critical Health information. This breach comes after j. P. Morgan indicated a loss of personal information to hackers of about 83 million households. Of course, in november, hackers that the United States government has said had ties to the north korean government orchestrated a destructive attack on sony. The sony attack would be comedy, but it is literally no laughing matter. To other businesses, including Financial Institutions on wall street, Health Insurers and others whose vital data may be taken. And to quote the f. B. I. Agent in new york, who supervisors the cyber and special operations division, yote we are losing ground. Thats a quote. We are losing ground in the battle with hackers. In december of 2013, we first learned about targets data breach, which affected credit card information and personal Contact Information for as many as 110 million consumers. The point here is that these losses of data are not only losses to these companies, they are potentially lifechanging losses to consumers. Target and j. P. Morgan and anthem failed not only the companies, but they failed their customers and consumers when these data breaches occurred. This fact of life is more than the cost of doing business for these companies. It is an invasion of their privacy. Its an invasion of consumer privacy. Potentially theft of identity and personal assets. So the billions of dollars that could have been saved by consumers, creditors, banks and others of companies and universities were collecting Sensitive Data, spent money and resources on better protecting that information is one of the facts that brings us here today. As attorney general, i brought a number of enforcement cases against companies that violated connecticuts data breach law, and i worked with my colleagues, including lisa mattigan, who is here today. But i worked with kelly iot who is now a colleague. So this issue is hardly a partisan one. In fact, it is distinctly bipartisan involving stronger protections for sensitive consumer data, and we recognize the states as laboratories of democracy and the great work that theyve done in this area. So let me just conclude by saying i think that we have a lot of work that needs to be done, a lot of good work that should be done. But one guiding principle is first do no harm. That is, do no harm to the state protections and state enforcers who every day are seeking to protect their citizens from this scourge and spreading the problem of data threat. In order for consumers to trust retailers, banks and online sales, they need to know their data is secure, without abuse, whether theyre shopping online or at bricks and mortar stores. Retailers collecting their Sensitive Information will do everything in their power to protect that data, and thats a reasonable expectation. They have a right to expect better than theyre now receiving from retailers companies, ininsurers, banks all of the institutions, including universities and nonprofits that increasingly have the coin of the realm which is data about consumers. Thank you, mr. Chairman. Thank you, senator. We now will turn to our witnesses. With us today is ms. Sherry f. Mcgwire. She is Vice PresidentGlobal Government Affairs in Cyber Security policy for system tech. Mr. Mallory duncan, general counsel, National Retail federation. The chief Information Officer at brown university, but easier for me to say Wichita State university, his previous employer. The Vice President for Information Technology technology counsel. The attorney of the state of illinois. And finally, mr. Doug johnson, senior Vice President and senior advisor, chief economist of the american bankers association. Lets begin with you. Thank you very much. Thanks for the opportunity to testify today on this very important issue. As the largest Security Software company in the world, we are made up of millions of censors that give us a unique view of the entire internet threat landscape. We all have seen, even as of this morning, the recent headlines about Cyber Attacks have focused mostly on data breaches across the spectrum of industries. These Network Intrusions that result in stolen data have deep and profound impacts. For the individuals who must worry about and clean up their identities, for the organizations whose systems have been penetrated, and for the government trying to establish the right notification policies as well as deter and apprehend the perpetrators. The magnitude of thefts of personally identifiable information is unprecedented. Over just the past two years alone, the number of identities exposed through Network Breaches is approaching one billion. And those are just the ones that we know about. While many assume that breaches are the result of sophisticated malware, the reality is more troubling. According to a recent report 90 of last years breaches could have been prevented if organizations implemented basic Cyber Security best practices. While the focus on data breaches and the identifies put at risk is serntly warranted, he must not lose sight of the other attacks, that are equally concerning and can have dangerous consequences. There are a wide at risk is set of tools. Which often seek to exploit older known vulnerability, Many Organizations do not have uptodate security or patch systems, do not make full use of the security tools available to them or have security unevenly applied throughout their enterprise. Last year, nearly 60 of data breaches occurred through Network Intrusion by unauthorized users. Another major cause is a lack of basic computer hygiene practice. While good security will stop most of these attacks which often seek to exploit older known vulnerabilities, Many Organizations do not have uptodate security or patch systems, do not make full use of the security tools available to them or have security unevenly applied throughout their enterprise. So what can we do . Cyber security is about managing risk. Assessing ones risk and developing a plan is essential. For organizations, there are many guidelines, including, as you discussed yesterday, the Cyber Security framework, the f. C. C. Guidelines for Small Businesses, the Online Trust AllianceData Protection and Breach Readiness guide and many others. For the individual, we provide resources to our norton customers and the f. T. C. And others have many tips available on their websites. And, in fact, just this week the s. E. C. Published best practices for individual investors to secure their online accounts n short, theres no shortage of available resources. Strong security should include intrusion protection reputationbased security, behavioral based blocking, data encryption backups. And while the criminal tactics are evolving, basic cyber hygiene is still the most Cost Effective first step. Turning to the policy landscape, semantic supports, as you said chairman moran, a balanced and thoughtful National Standard for data breach notification built on three principles. First, the scope of any legislation should apply equally to all entities that collect maintain or sell significant numbers of records containing sensitive personal information. This covers both the government and private sector. Second, implementing prebreach security measures to be central to any legislation. New legislation should not simply require notification of consumers but should seek to minimize the likelihood of a breach in the first place. Third, encryption or other measures that render data unreadable or unusable should be a key element to establish the riskbased threshold for notification. This limits the burden for both consumers and for the breached organization. We are committed to improving Online Security across the globe and we will continue to work collaboratively with our partners on ways to do so. Thank you again for the opportunity to testify again today. Exactly five minutes. Thank you very much. Mr. Duncan . Mr. Duncan . Chairman moran and members of the subcommittee, thank you for this opportunity. Data breaches need to be correctly and forcibly addressed. It fundamentally affect our economies push toward greater efficiency and costeffectiveness. By way of context, there is a long history of interception by individuals and governments from opening letters to tapping and telephone conversations. Today, we had Super Computers and the internet. Theyre crating a Public Network with no boundaries, far more versatile and efficient than all the technology that has gone before it. Governments entrust them with particle infrastructure, businesses with their most valuable intellectual property and millions of people type their deepest secrets into google, all while knowing the system is vulnerable. This technology is still in its infancy, having commercially begun just a quarter century ago. We are still discovering its capabilities and implementations and risks. We are here to address one of the most significant risks to emerge, data breach. It is congresss challenged with some nice incentivize companies to manage this risk. How can congress do that . There are three essential elements. Uniform notice come express preemption and strong consensus law. Lets recognize that data breaches affect everyone. The 2014 verizon report, retailers and suffered their share of breaches, 11 . Government ag