Hearing of the House Commerce, Manufacturing, and Trade Subcommittee of the Energy and Commerce Committee - Reporting Data Breaches: Is Federal Legislation Needed to Protect Consumers?

Hearing

Today the Subcommittee addresses the federal role in data breach notification.

It is alarming just how common data breaches have become. Since 2005, at least 600 million records containing consumers' personal information have been compromised as a result of more than 3,800 data breaches in the United States. At least 72 million personal records have been compromised only in the time since July 2011, when the Subcommittee last considered this issue.

Every type of entity has proven vulnerable, including private sector companies of all
sizes; colleges and universities; and federal, state, and local governments.

Breaches result from a wide variety of causes. External criminal attacks, dishonest
insiders, and simple negligence can all be responsible for compromising consumers' personal information. Moreover, in recent months, it has become abundantly clear that commercial data breaches can also result from state-affiliated cyberattacks.

Consumers face severe threats to their financial well-being when data like banking
information or Social Security numbers are compromised. In 2012 alone, more than 12 million U.S. adults were victims of identity theft or similarly costly forms of fraud.
Less reported, but also of concern, is when breaches, nonfinancial in nature, threaten consumers' privacy, including breaches involving health-related information, biometric data, or a person's precise location.

Nearly all U.S. states and territories now have laws that require notice for their own
residents when a data breach occurs. These laws vary greatly, but several are quite strong, ensuring that consumers receive prompt, clear, and complete notification when their personal information is breached and providing them with resources to protect their financial well-being.

I am glad that these laws have been enacted. But after-the-fact breach notification is only half of what is needed. The private sector also must take reasonable steps to safeguard personal information.

When it comes to information security, prevention is the best medicine. Research shows that the vast majority of attacks on commercial data -- 78%, according to the Verizon RISK Team -- utilize simple tactics easily thwarted by basic security infrastructure and procedures.

There are many companies that take information security very seriously and work
diligently to combat this problem. And perhaps there will always be cybercrime. But
unfortunately, there are also companies that are not doing enough to prevent breaches, and consumers are paying the price.

As the Subcommittee moves forward with its work on information security, I strongly
encourage all members to keep two points in mind. First, federal legislation must not move backward by undermining those states with strong breach notification laws. And second, effective security for consumers' personal information indisputably requires both breach notification and reasonable safeguards for commercial data.

I look forward to the witnesses' testimony and to our discussion today of this important topic. Thank you.

Source