saturdays at 7 p.m. eastern on c-span2. >> c-span is unfiltered view of government. we are funded by these television companies and more including comcast. >> are you thinking this is just a community center? is way more than that. >> comcast is partnering with community centers to create wi-fi enabled lift zones so students can get the tools they need to be ready for anything. >> comcast supports c-span as a public service along with these other television providers giving you a front-row seat to democracy. >> data security executives testified before a senate commerce subcommittee on protecting consumers updated against unauthorized access. they offered recommendations such as stronger authentication methods and establishment of a federal privacy protection standard. this is about 90 minutes. [inaudible conversations]

[inaudible conversations] >> welcome to the subcommittee on consumer protection, product safety and data security. will come to order. i apologize for the bit of late. senator blackburn was here quickly. she is en route. we're at a pivotal moment in the age of technology that rely on increasing massive consumer data. obviously, artificial intelligence has gotten the lion's share of publicity but that's nowhere near the limit.

businesses collect or process data ranging from personally identifiable information, name, address, likeness, as they say in college these days. obviously, sensitive data like physical locations and browsing history. the threats to consumers' data that companies face is complex and, in almost every way, daunting. as companies collect more data, they become more attractive targets for data breaches. and, by that i mean criminal activity. each breach costs companies nearly $4.2 million per incident. and consumers shoulder the financial burden and reputational harm of each incident. how many more consumers need to be victims of identity theft for us to take action?

how much longer should we allow personal data to be sold on the dark web for profit? when will cyber criminals be stopped, or at least deterred, from preying on our data? these data breaches hurt small businesses, large corporations, and everything in between. in 2023 alone, there were 3,205 data breaches in the u.s., and that's what we know of or were reported. 353,000 individuals were severely impacted. 10% of publicly traded companies reported a data breach impacting, in total, 143 million individuals. these data breaches can have devastating effects. a nationwide wireless carrier's data breach exposed the data of 70 million customers. a large health insurer, this was

recently widely reported, sawon their system grind to a halt, which delayed important healthcare payments and exposed critical health data. this is why we need strong requirements for how companies collect and protect our data, are conducting routine risk assessments, and establishing strong internal and external safeguards for data. we need a strong national privacy standard that includes data minimization and data security. obviously, data minimization establishes specific categories to turn off the spigot as it were. turn off the spigot of data that companies collect from consumers so that companies aren't just collecting everything they can. data security establishes clear requirements for how companies should safeguard the data that they do collect, so breaches are less common. we need to give consumers meaningful control over how

their data is used. this will restore consumers' confidence in the technology that powers our economy. and i think states clearly are not waiting for the federal government to act. already 16 states, including colorado, have passed, or are in the process of passing, their own state privacy laws.e other states are talking about it.cl there are lessons we can learn from these state laws.fo for example, colorado's law has a temporary right to cure for businesses to comply or adapt to privacy requirements. there are also areas where the federal government has to step in to issue rules and apply enforcement, consistent definitions for key terms like sensitive data, or to issuely nationwide rules. the draft american privacy rights act is an important, bipartisan, compromise framework for congress to build upon. i commend chair cantwell and chair mcmorris rodgers in the house for their efforts to bring this proposal forward.

we're committed here to listening to all perspectives on data minimization and data security. minimization and security are obviously interconnected, interrelated. together, they represent the foundation of a strong data privacy framework on which we can build. we have an opportunity right now, and an obligation rightte now, to build meaningful, bipartisan consensus around these complex issues. that's i look forward to hearing today, each of our witnesses. i would like to welcome each of the witnesses were joining us today. james lee, , chief army officer for identity theft resource center your sam kaplan whose assistant general counsel of palo alto networks. policy director for numeric is open technology institute and jake parker, senior director security industry association.

i now recognize our ranking member, our vice chair senator blackburn, for her opening remarks. >> thank you so much, mr. chairf you. apologies for people can of coming and going. we had at 2:30 vote that end up getting called. but i am so please. i know chair campbell and ranking member cruze are on the floor right now, but i am appreciative that chair cantwell has brought privacy back into focus. i've worked for over a decade for congress to take an action in this area. and when senator welch and i were each on the house energy and commerce committee in 2012, we brought forward data security and breach notification bill. it was the first of the privacy

and data security bill andon it was bipartisan. it would take steps to protect the security of data from business of your it would've required security data breach thnotifications and allowed the ftc and state attorneys general to hold companies accountable for violations of the law. so that is where we were in 2012. and as we now know, this issue, since it hasn't been addressed and it hasn't been resolved, it is growing more and more urgent every single day. the need for the swift adoption of smart and effective data privacy and security legislation and is pressing for several reasons, first. china and other bad actors are

not slowing down. now, fbi director christopher wray was the force at a judiciary committee meeting, and he said something pretty significant turkey said, if you are an american adult, it is more likely than not that china has stolen your personal data. and he also said china's fast hacking program is the world largest, and if stolen more americans personal and business data than every other country combined. we need to be paying attention to this. this threat is especially magnified as china seeks to become the world leader in artificial intelligence by the time we get to 2030. china plans for ai to power its vast surveyswo at state, and daa collection and retention is at

the heart of their strategy. at the same time as ai technology becomes increasingly intertwined in our daily lives here in the u.s., consumers have valid questions about how their data is going to be used to train these large language models. in an applications. i hope today that we will discuss why we need federal privacy and security legislation to combat these threats. second, congress is past the point where we risk ceding our authority to both states and other countries. as we all know state governments are quickly and acting privacy laws, creating a patchwork of regulatory headache for our businesses. 15 such laws exist, including

tennessee and colorado. and the europeans have also beaten us to the punch. several years ago they did gdpr. they are now using gdpr as the foundation for regulating ai. yet, we can use the eu as something of a cautionary tale about the need to make a regulation smart and effective. i visited the eu to work on this issue last year, and i heard stories from one of their data protection authorities about how they've been asked to resolve disputes over bank accounts after a couple divorced, or resolve a dispute between neighbors about the location of an antenna. so let's be smart and let's not make the same mistakes, and let's not overreach. we know our friends, the europeans,s, always have a

heavy-handed approach, which makes it even more imperative that we act in a thoughtful manner. more without congressional action, the ftc will proceed ahead with its commercial surveillance and data security rulemaking, which it launched in 2022 without congressional authority and director. congress should be studying these rules, not unelected finally, while this hearing will likely feature much discussion on concepts like data minimization and other data security practices, we must not forget about the cybersecurity threats posed by new and emerging technology. one area off great interest to tennessee are quantum technologies. through methods like harvest now and decrypt later, once bad actors stealea encrypted data

today, nothing can stop them from decrypting your data tomorrow with quantum technology. that's why this committee must move quickly to examine this technology and reauthorize the national quantum initiative act. i would love to work on this with our chairwoman and the team here of the committee. tennessee is a leader in financial innovation in technologies like quantum computing. and oak ridge national lab is at the forefront of basic and applied science research. when i speak with people in the state to ask me how we can best tackle privacy and data security issues while also continuing to allow innovation. .. privacy and data security issues while also

continuing to allow innovation. this committee must be thoughtful in our approach but mindful of the realities the congressional calendar imposes. >> and now remarks from each of our witnesses. the term witness gives a false sense, i don't know, insecurity perhaps these days. anyway, we'll start with james lee chief operating officer, identity theft resource officer. >> thank you, mr. chairman, chairman blackburn. i am mr. lee, and the corps of our business is provide for victims of identity crimes and we do research on identity

crime trends. and a lot happened since we were in this room in 2021 to talk about this subject. we've seen bad actors shift their focus and expand their reach and we've seen them accelerate their innovation attempts. we may, in fact, be in the beginning of what is the golden age of an identity crime. it's fueled by stolen personal data made highly effective and efficient by ai and many all, but helpless to defend themselves. why do i say that? i'll give you some scope of the problem. data breaches are the fuel for identity crimes, all identity crimes and stolen log-ins and passwords. 3205, estimated over three million people some people hit more than once, a 78% increase from the year before.

that's a 72% increase from the previous one which happened the last time we had this hearing. from a financial standpoint, more than two-thirds of the people who contact the itrc are losing more than $500. within that subset, 30% of them are losing more than $10,000. and we are now routinely hearing from people who are losing six and seven figures in financial losses due to identity scams. most troubling trend is the number of people who have decided that their only way out is self-harm. 16% of the people who contacted us in 2023 said they contemplated taking their own life. for the decades before that, that number had never been higher than 2 to 4% and now, 16%, doubled in one year and we do not see it slowing down. and also, unlike past years, we now hear routinely from

grieving families who are still being attacked by the identity criminals who are trying to keep the scam going. we don't advocate one way or the other for legislation or regulation for the most part, but we did provide a tip for information. with that in mind we're still the same place we were las time, the best way to prevent identity crimes is to prevent the identity victims in the first place, uniform minimum standards for data protection and use. minimal technical and nontechnical, and our world is driven by software and fueled by data. compliance with comprehensive, but not necessarily prescriptive minimum standards can reduce the risk of exploitation, but standards are more than metrics, they are practices like data minimization which is a concept that's predicated on a very simple truth. if you do not have the data,

you cannot lose it. and if it's secure, it cannot be misused until we get to quantum computing and that's a different discussion. routine risk assessments also help ensure information systems are secured in a manner equal to the risk. that's very important. equal to the risk that an organization faces. you add two other complimentary concepts, privacy by design, and security by default, and you have all the tools needed to keep privacy and security at the forefront of a company's culture and in every stage of our product's life, to be effective in reducing identity crimes. uniform standards also need strong enforcement, defenders must continually measure the progress and constantly adjust to the new task and you do that through audits. and there's a need for strong enforcement actions when it comes to data breach notices, increasingly effective even if a notice is issued. let me give you two examples.

in the first three months of this year, 32%, 32% of data breach notices had information what caused the data breach if it was link today a cyber attack. reverse that number and that tells you how many didn't include information about what happened. that number was 100% of data breach notices until the fourth quarter of 2021. the average number of new data breach notices in the u.s. is nine per day. in the european union, one of the things we do get right, 335 every day. we are missing data breach notices and there are plenty of examples to prove that. one final thought, if we adopt data minimization and we should and give consumers more access over their personal information, that's a vital part of data, and they can significantly reduce the amount

of information in a data breach and to criminals. and there's going to be one. but personal information used responsibly and transparently for a people who is who they claim to be from opening to a bank account, applying for a government benefit, et cetera. and effectively prevent someone from becoming a victim of identity fraud. restricting use the personal information for fraud prevention is part of control or data minimization could have the unintended effect of aiding criminals and negatively impacted those who are victims of identity crime. thank you, and i look forward to your questions. >> thank you very much. >> now, mr. sam kaplan, the assistant general counsel of palo alto and spent time in colorado. >> thank you, chairman

hickenlooper, ranking member blackburn and distinguished members of the committee, how cyber security is part of consumer protection. i'm sam kaplan and sar for public policy affairs at palo alto networks, i've spent the bulk of my career working in data, as kroot the federal government to include as the dhs privacy officer and served on the privacy and civil liberties oversight board at the u.s. department of justice. for those not familiar, we are an american headquartered company founded in 2005 that has since become the leading cyber security company. we proudly provide cyber defense capabilities to enterprises around the world, supporting 95 of the fortune 100. critical infrastructure of all shapes and sizes.

the u.s. federal government, universities, educational institutions and a wide range of state and local partners. this means that we have a deep and broad visibility into the cyber threat landscape. we are committed to being a good cyber citizen and a trusted security partner with the federal government. it's no secret that cyber attacks cause real impact to our daily lives from disruptions of public services, like health care, or emergency services, to compromises of american sensitive data. with that back drop, palo alto network strongly believes that deploying cutting edge cyber security defenses is a necessary and effective enabler of data security and privacy. bottom line, effective data security and data privacy requires cutting edge cyber security protection. organizations should be encouraged to protect data by implementing robust data and

network security practices that can both help prevent incidents and data breaches before occurring in the first place and mitigate the impact should an incident occur. to stay ahead of this evolving threat landscape cyber security professionals regularly leverage security data, which is the network teletri, the ones and the zeros, the malware addresses, the vulnerability enumeration that we must adjust in real-time to optimize cyber defenses, to that end we are heartened to see cyber security generally in frameworks so companies like yours can use to collect, process, retain and transfer security data to in turn better protect those systems and data from compromise. today's cyber threat landscape requires that approach and everyone's personal privacy will benefit from that framing. to that end, palo alto recommends organization's focus on the following actions to

bolster their cyber resilience and increase their data security posture. first, leverage the power of ai and automation. for too long cyber defenders have been inundated to alerts to triage annually that can lead to data breaches. ai can help slip this paradigm. and secondly, attack surfaces to help identify and mitigate vulnerabilities before they can be exploited. third, implement a zero trust network architecture to prevent and limit an attacker moving laterally across the network. fourth, promote, secure ai by design to assist with inventorying ai usage, applying policy control and securing applications built with artificial intelligence. fifth, protect cloud infrastructure and applications, as cloud adoption accelerates, cloud security

cannot be an afterthought. sixth, maintain and test an incident response plan to prepare for and respond to cyber incidents. our team at palo alto networks is dedicated to securing our digital way of life. we enthusiastically participate in cisa, j c.d.c. and situational awareness and landscape with key partners. reinforces that cyber security is truly a team sport. thank you again for the opportunity to testify ow cyber security is a foundation of data privacy and i look forward to your questions. >> thank you, mr. kaplan. now i'll introduce, prem trivedi for new america technology institutements thank you for the opportunity to speak with you today. i'm prem trivedi policy

institute of new america. a nonprofit and nonpartisan organization dedicate today realizing the promise of america in the area of rapid social and technological change. oti has worked to make sure that every area has access to benefits. and oti looks at strong needs that protects consumers and allowing flexibility for innovation, takes me to my first point. data security and consumer privacy are two sides of the same coin. strong save guards including minimization is vital for consumers. it's a powerful principle that requires collecting, using, sharing and retaining only the data necessary to provide a service or a product and strong data security safeguards are needed in this area of ai. training many ai models requires ingesting huge data sets and as companies race to

acquire more data, the pressures to adequately protect it keep increasing. so a baseline federal standard on privacy and data security is essential to ethically and effectively regulating ai development. and i'll add cyber security practitioners, recognize it goes beyond consumer privacy because it can look at breaches and incidents. they can't misuse data that they don't have. and companies can't steal data that they don't have. the next point shows that americans want strong data security and there's no national standard to protect all types of data and americans know that tracking of activities is pervasive. probably why 75% of americans lack confidence that the company will hold companies accountable if it compromises their data. in all of this is negatively impact in ai and in leading ai

companies many of which are u.s. companies, small and large. and the good news is that more than two-thirds of republicans and democrats support more regulation of companies, data use. and we've been heartened to see the recent reemergence of a credible bipartisan, credible proposal on data security via the rights act. and the strong data minimization machine will address the broken approach, and it would take people hundreds of thousands to read the privacy, and most click on agree without reading those policies. this isn't meaningful notice, it's not meaningful consent and it's not clearly it's achievable in our activities. data minimization shifts the responsibility on the companies from consumer to use only what

the company needs to provide products and services. this is far from a new concept in corporate management play books and we can get without stifling innovation or burdening companies. and the best point of practice and security should become baseline across all sectors of our economy. here is a short list of those, collect, use, share, retain only data that's relevant. second, whenever possible, use incryption to securely store and process data. third apply strong controls that ensure only the people who should be able to access data can, in fact, access that data. fourth, use strong methods for authentication. fifth, further study and standardize over time use of privacy enhancing technologies and six, routinely access and

assess data insecurity you've heard from other witnesses as well. these best practices should be in federal law with flexibility to account for company's size and capacity. data protection is consumer protection. and we need sensible data stewardship. indian u.s. leadership on ai requires congress address the consumer trust gap and we appreciate the committee's bipartisan leadership on data security and privacy. thank you again for the opportunity to testify before the subcommittee. i look forward to your questions. >> thank you very much. now go to mr. parker, or the director of -- senior director of security, thank you for being here. >> thank you, are the opportunity to participate in

today's hearing. i'm with a nonprofit trade organization representing more than 1500 companies that provide products protecting lives, properties, businesses, schools and infrastructure throughout the nation. the data security is essential to the operation of security systems and services and our members are committed to protecting personal data, whether it's consumer or operational data. practices like data minimization and design, successful implementation of many types of these products. for example, when it comes to access, control and video systems features like data incryption we talked about a little here, permissions based access, decentralized data storage, data processing, data deletion schedules all serve to eliminate the data for misuse and limit the usefulness of data if it's compromised. another example, the mode proofing services essential to preventing identity theft and

fraud as attackers become more sophisticated. and these are provided by our industry, especially biometrics and reducing the exposure, and vulnerability to hackers. and increasing rapid data security that must be addressed. beyond technical standards, product features, best practices and security tools, having the right public policies in place will also address data privacy and security. there's a key role for those. so, states like colorado, texas, tennessee, and by my count, by the end of this month there will be a total of 19 states with active data processing an and security laws, cover americans, almost half the populationment having a national uniform standard could provide more to businesses and enfurther enhancing security.

and we've been following the renewed discussions here in congress regarding development of such a standard and encouraged by the progress. and it's essential that data be continue to be utilized as needed for safety and security purposes, for example, our members and their customers are often the first to raise the alarm in emergencies, we're having to write data health and law enforcement and other responders get where they need to be as quickly as possible. as i mentioned earlier, many that are used for authentication accomplishing the goals of the draft proposal that we are looking at in section nine i think was mentioned earlier. having a uniform and workable national standard requires strong state and local preemption, to avoid layering additional requirements. this is really important to our industry. it needs to limit risk to businesses for opportunistic abuse of lawsuits which we've certainly seen in some jurisdictions over privacy matters. and need to make sure that we

accomplish nos objectives in what we put forward. i appreciate you holding this hearing in your leadership and putting a spotlight on data security and doing what we can through our data advisory board and cyber advisory board in particular to provide key research and adoption and best practices for data security as i outlined in my written statement. and our members look forward to working with you on these issues. >> great. >> thank you all for being here, i realize how busy you all are, and some sacrifice you come ap share your information you're with and your data with us. >> let me start off with you mr. trivedi. lincoln famously said with public sentiment nothing can fail and without it nothing can succeed. many states established their own laws, soon to be 19 states that will pass their laws.

and this is all about how, what types of data businesses can collect, how consumers should be notified. consumers can be better protected, i think, businesses can more fairly compete when there are clear, consistent rules of the road and especially for small businesses. i think this is such an important -- mr. trivedi, how do you believe a national standard for data minimization and securing data benefits customers and privacy and how we get the word out to them, get that public sentiment behind us? >> thanks so much for that question, chairman hickenlooper. i might start by saying, americans know that the data represents the most sensitive aspects of their lives and that's why they're clamoring for stronger protections for it and a national standard would set equal protections for all americans and uniform expectations for all companies which is something they've been

clamoring for as well. that kind of clarity in the regulatory environment is sorely needed because the u.s. legislative regime for data privacy and security is fragmented in ways that make consumers more vulnerable and require companies, and this is particularly burdensome, i think for companies, compliance in response to state patch works and clear national rules of the road. i think i would also add to your question about small business in particular, that many of these small businesses do not want to be hovering up as much data as possible to run their businesses, but there aren't credible strong national standards and they feel as though there's a competitive disadvantage if they're not collecting as much data as possible. that, as we've heard, puts consumers at risk and also puts the companies at risk so i think that a data minimization approach and common at the federal level helps these companies do what they want to do which is being responsible data stewards. >> let's agree and certainly

hope you're right. certainly ai has created a fascination with the value of all data and there seems to be a little bit of a race on minimization, not quite appearing as frequently as it has been since ai's gotten more currency. mr. kaplan, on a bipartisan basis, congress passed the cyber incident reporting for the critical infrastructure act a couple of years ago to acquire critical infrastructure operation to quickly report cyber incidents, so, we can understand the threat landscape as it changes. the ftc has issued penalties against companies they found were unfair or deceptive in their data security practices after the consumer data was exposed. gathering and sharing information about the specific ongoing attacks, as well as the broader industry trends helps

us establish the defenses to prevent future incidents, especially, obviously, data breaches, across sectors. so in your experience, mr. kaplan, which vulnerabilities are most important to address in order to prevent criminals from assessing or accessing consumer data? >> thank you, senator. that's a very great question. so in our experience and conveniently, every year, palo alto networks publishes an incidents response report which provides an aggregated summary of the key trends that we've seen in how air force are -- their they're looking. and the phishing attempts, essentially open doors available on public websites

that haven't been patched through updates or upgrades to software and systems. as a result, they're having relevant ease to gain entree into those systems. one that we've noticed is remote desk top or rdt. if exploded can provide threat actors and attackers easy access to a deep level of administrative privilege into a victim's system to better and quicker exfiltrate data. these rdp vulnerabilities will unlock the keys to the kingdom, if you will, so they're a concern for our company. it's critical that we make it as difficult as possible through layered defenses and some of the best practices that i identified in my opening

statement with regard to zero trust architecture, to prevent attackers from moving laterally across the system and close the open doors and to have better understanding and visibility in your relative attack service. >> we'll get back to some of that, the danger of any hearing like this is we call attention to some of the open doors, but it increases your commercial activity in all of yours. i'm going to turn it over to my vice chair, senator blackburn for some questions. >> and thank you all so much for your testimony. and i appreciate getting your perspectives on this. i want to start with gdpr. i mentioned that in my opening remarks and let me ask you, are each of you involved in some

way in the eu, or your companies involved in some way in the eu? a show of hands is fine. okay, so two of you are. mr. trivedi, you're trying to decide if you are or not. [laughter] >> . >> only to say that we're not a companies, but nonprofits tracking. mr. lee, likewise. what, as we look at this and as i mentioned, our friends in the eu know they went a little bit too far, but companies already have these protocols in place to meet the gdpr standard. so, as you look at what they have done in the eu, and canada has a new, new zealand has a law, australia has had a law, all protecting their citizens in the virtual space. mr. lee, start with you and just go down the line. what should be the lessons that we learned and what should we take away from the gdpr

experience? go ahead and just very quickly so i can work through my questions? >> the thing is i think they got right to deal with some of the more technical aspects, making sure that you are having the programs that you need in place and that they meet the risk that you are facing, so, it's not a prescriptive necessarily standard, but it's-- you have to assess and report. and when there's a data breach, you have to report that to the data authority for that country. >> has an assessment reporting mechanism. you would say this they got it right. mr. kaplan. >> thank you, senator, that's a great question. i would say from a macro level, the things they got right are sort of a uniform standard, regulatory complexity across multiple markets, just increases costs and from the cyber security perspective, the source,that-- and the resources that are dedicated to responding to

incidents should be operationally responding to incidents rather than looking at regulatory-- >> i would say we need one set of rules for the entire internet eco system with one regulator. yeah. >> predictability in lessening regulatory-- >> it's the whole thing, isn't it. mr. trivedi? >> thank you, senator, for the question. the first lesson you highlighted is proving swiftly to establish that uniform standard, that's something we should emulate. i think it's worth says gpdr has not been strong enough on data minimalization. i think working here in the united states could do it better. and i think they give too much did he have presence what minimalization means. while we have a reasonableness and flexibility, a strong and flexible approach i think there's an opportunity for an american approach that works different for us. >> thanks.

mr. parker? >> the embassies -- the emphasis on what they've done already, and point out it's a little different than what the proposal we're talking about now at the federal level is. just based on what i've also-- feedback from members we've had is there's definitely been an issue with conflicting interpretations over time from the national data protection authorities within the eu with causing problems for businesses or doing, you know, work across the different jurisdictions, but the potential of relevance here, overlap between the ai act and the gdpr and in some cases they're going to get resolved with one another and it's causing confusion. >> and digital marketing and digital services and some of the overlap there. let me-- i want to go to the data minimizization issue. and again, just down the line,

mr. lee, starting with you. what is your opinion of data minimization as a security principle in this debate. >> i think it's integral. if we're going to reduce identity crimes and victims, we have to reduce the supply of data. >> right. >> that can be abused by individuals, if it's stolen or even if it's just accidentally exposed. if you don't have it, you can't expose it. >> so you tie the two. >> yeah. >> as you said data breaches are the fuel so at that ties in. mr. kaplan. senator, from a macro perspective, i think that data minimization is an increasingly useful principle especially in lessening the attack purpose, especially those companies doing business with consumer focused data to that end and also where we think that

legitimate and broad, not broad, but targeted permissible purposes like protecting the information can be critical. but minimization can be an important tool. >> so you would segment it. >> correct. >> okay, mr. trivedi. >> thank you, senator. i would say a data minimization is central, for the reasons that witnesses have highlighted as well, the attack surface is lessened when you're intentional collecting only what you need. you can't, again, you can't exfiltrate or hack what isn't there in the first place. >> all right. parker. >> i mean, there is a bit after difference between data minimization as an operational principle and a policy principle, so from an operational standpoint it plays a big role in data security. for policy perspective, i know there's the overall approach of having a set number of permissible purposes for collecting and processing data. certainly, it could work. i know there are some questions

out there about what about future, other than the future, is that going to be too narrow and do they cover what they need to now. those are legitimate questions, but an interesting approach. >> can i ask-- oh, peter is here. go to him. i've got another question i want to ask. >> and-- >> i do, i wanted to talk about china because we just enacted legislation to force bytedance to divest from tik tok. and the threat from china is more than tik tok. a more owe list particular approach rather than play whack-a-mole is beyond the apps. china is using drones, cranes, and potentially routers to spy

on americans. how should congress approach the broader data security threat from china and what do you see as a good policy solution to this? mr. lee? >> i'm just a humble victim's advocate. but we do have to recognize the nation states, maybe not for the same reason as professional criminals. they want the information and it's important that it is protected from whom ever wants to misuse it for whatever reason they want to use it. china is certainly a nation state that has great capabilities and we know that they have a lot of data about individuals for intel purposes. we have to assume there are other countries, friends and foes, who do the same. and an approach for data protection needs to be universal in its approach to whom ever is acquiring the information. >> mr. kaplan.

>> senator, yeah, the threat from china is something that's we are tracking every day on regular basis, both the threat with exfiltrating information to china, but also, other malign nation states that are looking to leverage data within the united states. as a cyber security company we're principally focused on the security of the networks and information systems upon which that data relies, so, broader policy sort of questions how to deal more holistically with the problem, outside of our purview, to that end, strong cyber protections and encourage information sharing with the federal government as we regularly partner with regard to that threat. >> thank you for the question. i think you're importantly highlighting the ways in which data security and data protection have a national security protection. we've been talking about consumer protection which is vital and this is not all just occurring within the context of our own borders and as mr. kaplan mentioned there are

nations in competition for one another's data. there are costs for that. to answer your question about the right policy approach, at the top of the list should be establishing a federal data security and privacy protection standard, right? i think that's essential because it does all the things we've talked about, but also confers national security benefits on america as well. >> and certainly, what was just mentioned establishing that standard in the federal privacy frame work we're talking about would go a long way to doing that. certainly anything that's internet connected, devices, the target for exploitation by actors, implementing certain encryption protocols and protecting those specific devices as an additional side note, a large shift with our industry away from manufacturers in china and forcing equipment there that could possibly have vulnerability, especially in the commercial sectors, it's

complete, move away from those sources. >> thank you, senator walsh? >> thank you good to be here, senator blackburn, it's wonderful to see this pioneering work that you began when were you in the house and it's only gotten more complicated, actually. let me ask a few questions about the privacy issues for individuals and then the cyber security that's essential for everyone. i mean, as you know, about 72% of americans believe there should be more regulation over what companies do with people's data. 67%, and i'm among the 67, report little to no understanding how companies use their data. and 73% report that they believe they have little or no control over what companies do. so there's a question about my data, a citizen's data and what companies do, and then there's

the question about hacking into systems and companies, tech companies have a high self-interest in doing everything possible to protect against hacking because it hurts them and their customers. i mean, where is the difference in the responsibility for protecting the system from being hacked? and i hear you saying there should be a national standard and that national standard, what does that mean for small businesses that just don't have the financial wherewithal to be able to bear that burden and how -- what those recommended protections, how they could be integrated affordably, organically, into systems that a small mom and pop business might deploy. and i guess i'd start with you,

mr. lee. >> thank you, senator. i work backwards. particularly for small businesses, this concept of the risk assessment is very important. >> that they have to do themselves? >> they would do themselves. that's where they understand where the risk is. if you're prescriptive and you must do x, that's a waste of their time, energy and money. if you do a risk assessment so you understand exactly what facing in your unique business based on the information you have from your customers, then you are meeting that risk as it is today and you're monitoring it to see what you have to do going forward. let me push back a little bit. i'm thinking, let's say if a small record producer in nashville. in new startups i mean, for that person in business to talk about what the customers need and then to be able to make the decisions to deploy, that requires the level of

sophistication that may not be the level of sophistication required to be a good record producer. i mean, i have a-- say you're a small law firm, let's say, in a law firm with four lawyers, which is pretty small. we didn't have the demands or the capacity to do what the major wall street firms do. so what you're describing as a step that we should take seems out of reach for me for the millions of small businesses we have. it seems to me, that this should be just available, baked into what it is you buy. >> i guess i would view that that's actually the foundational step. it's one size fits all we've taken heretofore is what burdens small businesses. when you take a tailored approach, it's specific to their business and specific to their data, then you don't have to do things which you know you're never going to. >> no, that makes sense. but what's the expense associated with that? >> depends which tool you're

using. >> give me a ballpark, i mean, i'm worried about the small businesses having to deal with these massive impacts on their small business. >> as, you know, we've got representatives of the world's largest cyber security organization, but there are small mom and pop management service providers that's what they do. there's, i'm sure, hundreds of them even in the nashville area and every city and people who do that. >> okay, mr. parker, thanks. you mentioned future proofing which makes a lot of sense to me, but one of the things that i've found frustrating as a member of the house and now in the state is we can't keep up with all the changes and all the methodoloies which by there is hacking even those far more expert in congress can't keep up with it. and the time has come where we need an agency, a digital

commission, much like, say, the ftc or fcc that's properly staffed, properly resourced and have the capacity to keep up. it's a one-off bill, problem a or problem b, it's a cumbersome and difficult process to get it done in a timely way through congress. do you have any thoughts on the wisdom of having such an entity that would have as its ongoing challenge protecting privacy and in considering other issues related tech? >> i mean, that's a great question and i apologize, i don't have a great answer, but i know that the-- obviously, the state of california having something like that, having a privacy agency and so, i know the issue has been discussed, here as far as that. there's probably the opinion that most of the-- that we have existing agencies and playing that role and i

understand what you're saying. i know that's definitely bifurcated. >> well, you mentioned there should be a national standard, right? >> yes. >> that makes sense to me. who determines what that national standard is. >> well, i think that legislation would emerge from a number of stake holders working together, but i would emphasize that it should be both strong and flexible to your point how smaller businesses are able to comply. we cannot expect a small record store collecting far less digital data than a large tech company. >> what would a national standard look like in strong and flexible makes a lot of sense to me. so what you're saying i agree with, but i'm trying to think of the practical way, to benefit it, x, to change it. and sitting up here, i know that's a tough ask for folks in this job who are determined to do the best they possibly can. so do your best to answer that question. >> sure, thank you, senator.

it's a very good question. i think there are some best practices i listed out near universal that would apply. for example, even small businesses can think about and implement access controls to make sure employees who don't have certain data can access it. they can engage in data minimization relative to their capacity, which is to say think hard what they need and what they don't need they shouldn't keep, it's a risk to them. >> we have to make, the legislation has to determine that, it's not like you're asking the individual to determine that, right? >> right. i think that legislation should establish a strong set of practices, but there should be flexibility in how businesses of varying sizes comply with it, but there should be basic requirements that are common. do you have a template what it is you think that congress should pass? >> well, i think we've seen some credible bipartisan proposals. i think there's good progress being made the discussion to the american privacy rights act. i think that's a very promising proposal on the table today.

>> in terms of a template specifically for how small businesses can operate, i think that's something that we could get back to you on and think more about. >> all right. thank you. i yield back. >> thank you. now, we have by remote, senator klobuchar. >> thank you very much, mr. chair. thank you to the witnesses. start out by generally saying that we need a national privacy law that creates rules of the road. i support sector reviewing and senator cantwell's discussion draft of the american privacy rights act. i strongly believe that consumers should have access and control over how their personal data is being used. mr. trivedi, do you agree that consumers should have access to their data and control how it's used by companies? >> i do, senator, thank you. i think access and control rights are very important for consumers. >> okay.

thank you. mr. lee, and i'm having trouble hearing, but i'll try my best here. mr. lee, we also need to educate americans how to identify and react to cyber threats. we know there's phishing schemes going on and senator thune and i have introduced the american cyber security literacy act to educate the public on cyber security risks by requiring to conduct cyber security literacy campaign. can you talk about the importance of educating americans how to avoid cyber security threats? >> education is the key to so many different things. in this case, it's a part and parcel of keeping people safe. one of the things we learned from talking to victims every day, they're curious how to make sure it doesn't happen to them again. so having a comprehensive

approach that's led by the federal government would be very helpful because we overall, identity crime victims don't get a lot of support anyway because a lot of times people think of them as victimless crimes. trying to avoid that crime is even more difficult. education is going to be a key part of making sure that we are keeping people safe in this increasingly dangerous cyber world. >> agree. mr. kaplan, in just the past five months we've seen significant data security breaches, obviously united health group, at&t, microsoft, because these companies maintain large amounts of data on huge swaths of the population, hacks often can affect tens of millions of people. in your testimony, you noted that large companies have twice the number of systems exposed on the internet than what they were monitoring. what complications for

protecting consumer data arrived from simply holding such vast amounts of it? >> thank you for that question, senator. yeah, holding that vast amount of data just increases, sort of your attack surface and your vulnerability and makes you a more likely target of sort of the malign threat actors and nation states that are looking to sort of divine and exploit and pull out that data to make strategic use of it. with regard to the attack surface, this was one of the basic cyber principles that we also talked about. it's understanding what your internet exposed attack surface looks like. understanding how many of the portals into your system are open to the public internet and having visibility into existing vulnerabilities, misconfigurations, not updated pieces of equipment or software that are exposed to the open internet that just gives those malign actors entree into the system. so having the ability to the

system and what your attack surface looks like to the attacker we think is a critical, critical piece of securing your infrastructure. that combined with knowing what your data is a critical element of maintaining customer-- >> you noted in your testimony that the united health care change chain data breach is likely to be the largest supply chain, this is mr. lee, supply chain attack in history because of how many organizations depend on chains to process insurance payments. when an entire industry relies on only one or two digital supply chain providers, that holds huge amounts of data, how does that affect the impact of a cyber attack? >> it's for a cyber criminal, it's nirvana, if you can find a

supply chain. rather than one company at a time if you can find the organization that has weak cyber security not just from one company, but all the people that they support they're going to get massive amounts of data and we've seen a 2600% increase in the number of organizations hit by supply chain attacks. not just that they were attacked. you may only have 100 companies attacked last year, but you had 2600 companies that were impacted by it. their data was exposed. so, for a criminal, these things are incredibly profitable and it's something that we-- the whole topic of this information is how can we bring these other organizations up to speed so you do not have that risk from vendors to the larger organizations. >> yeah, i mean, we have been helping dozens and dozens of hospitals and pharmacies and other health care providers in

our state to become whole and to be able to function ever since that data breach and clearly, work has to be done here, so, you have -- you can't have all this data in one place. and then they don't have backup systems. is that-- would that be one of your suggestions? what would be your suggestions to protect this data and that will be my last question. >> from a data protection standpoint, a lot to that. only one of which would be backups. there are just so many parts of the health care supply chain, it has been the industry that's most attacked for the last six years running because there are just so many different parts of it, so many members. you know, from mom and pop organizations all the way up to a united health care. so, while there are key things that they need to be done, a big part of it is just making sure that everybody in that supply chain is aware, they are

a target. they are at risk and to act accordingly. >> exactly. thank you very much. thanks, everyone. appreciate it. >> thank you, senator. i've still got some questions and i think one or two people might be on their way here so i'll indulge myself. mr. parker, and i don't want to get you in trouble with any of your members in any way. but you know, the requirements for reporting a breach, whether it's ransomware or phishing or whatever it is, there really-- the penalties, unless someone paid the ransom, the penalties so far don't appear to be significant. in almost all cases. does there need to be incentive or some way to reward some of the smaller breaches that are happening more frequently, that don't get the attention and yet are, as i'm sure you're aware,

costing us tens of hundreds of millions of dollars in the country? is that-- i mean, how-- within the framework of your membership, how do we get everyone eager to make sure that they report each incident? >> it's a great question. i know, so, it's been a while since-- i think every state has a law or a breach notification and different, ap and some have private right of action. there's not a heavy hand, fairly light. >> i mean, i know some-- i know from the other witnesses may have a better idea here. but certainly, something should be a priority for the ag's that are enforcing these rules. >> right, but again, they need to have penalties or some way of moving through. anybody just want to comment on that? >> don't feel any obligation because i have more questions. >> oh, i've got comments.

to your point, we -- it took from 2003 until 2018 to get all 50 states and territories and the district of columbia to have a data breach law and they're all different. they all have different triggers, what is a breach. and data breach notice and in every instance, it's the organization that lost control of the data that gets to decide if there's a notice. oregon will allow with law enforcement. other than that, the organization gets that. and what the information is, if you have information, what resources are available to you. when we talk about national standards that's why we mention data breach notifications are part of that. those are both education opportunities for the individual and they're opportunities to make sure that we don't have repeat

occurrences. >> absolutely. >> anyone else? >> you've all referred to at one point or another, i don't know whether a certain amount of irony in some of the comments, but the swiftness of response. would you all agree that swiftness needs to be a goal, something that we should find ways of-- both within government, but also within the business community of accelerating responses and making sure at that swiftness becomes an important factor? we'll go this way just for a change of direction. >> absolutely agree with that. >> yeah, i think both on cyber security incident response side and the pace which we should move on data security, swiftness is essential. >> say that louder when you say that. i'm not just kidding. we want it to fill the room.

>> senator, swiftness when responding to a cyber incident is critically important. one of the things we've seen from palo alto network is the average response time for companies recently as 2021 was 44 days it would take companies to address a cyber incident when it occurred and it was 44 days until they started seeing data exfiltrated from those attackers. we've seen that exfiltration timeline decrease to just days and hours, if you take that in context with the average time that takes for a company to respond to a cyber incident and mitigate it, it's six days, if the attackers are exfiltrating in one day you're losing hours, and it's a critical aspect. >> mr. lee. >> i agree. >> great. thank you. i might have one more question. first i'm going to turn to senator bud. >> thank you, mr. chairman and

again, thank you all for being here today. so much commerce, business, work and social interaction now takes place online as you all know and there's a large volume of sensitive data and in many ways that data is the life blood of the economy, businesses, customers and online services. and i know this firsthand as a small business owner who has run digital advertising campaigns myself and also know that the majority of businesses take data security extremely seriously. burdening customers with what may feel like arbitrary or overly sensitive personal information disclosures is a poor way to instill customer trust and protecting against devastating breaches. mr. parker, you mentioned how important uniform standards and laws are to the security industry association members. is there an example that you could share where conflicting laws between states have

reduced business opportunities for any member companies? >> sir, so the -- kind of prime example of this is the illinois biometric data law, and it was formulated i think more than 15 years ago, when the technology from in its infancy and certainly, the way that the way it was established and created an environment where there's tremendous litigation risk in fielding the technologies, even if they're deemed to be compliant so as a result, there's a number of our member companies who do not actually offer their products to customers in illinois anymore because of what's happened with that. >> any particular products that you can recall? >> well, you know, there's-- within biometrics there's different types of products, but just to give you an idea, 88% of the lawsuits under that law have been on regarding biometric time clocks, so

basically a way to authenticate your identity for punching out of work, no allegations that harm actually occurred to anyone. there was some misstep in collecting consent and things like that that were found and that was the basis for class action lawsuits and things like that, even if not-- even though-- in some products, certainly, in the security area cannot even be fielded there under the rules, but in other cases, you know, products like that, some people were just, they forget that we're not going to even bother. >> you know, the savings from those systems, i would note firsthand and they save businesses money and they make them more competitive and allow them to hire more employees so i see the challenge there. ... employees more. they hire more employees. mr. parker, can you speak to how uniform national requirements and legal liabilities would protect personal data? >> yes. so i think having a national standard, you know, that fully

preempts state and local law would definitely save a compliance cost but it would also be better, you know, for the global competitiveness of our company if they could align with what they are doing, you know, with other parts of the world as well versus having people track what is going on in the individual states. so there is definite >> you mentionedtr security industry association encourages its members to momentst resourcs like how to count and i an cybersecurity threats to physical security products as an example. do your members see criminals using ai in new ways? >> one thing we are, i started some of our saprocit experts in the industry about this but one thing that's emerging is the ability to detect when video has been altered. so security video is important to what we do.

we want to make sure that can't be manipulated by bad actors for fraudulent purposes or maybe further some other criminal activity. there's technology available that is verifying the authenticity of data that is stored to make sure it hasn't been altered. that's one area. >> thank you. thank the panel. mr. chairman. >> thank you, senator. i'll be quick because i no hes a banner for a while. a couple of the aubrey commented on this. put in a fair amount of our office put a fair amount of work in a american privacy rights act. you guys come at a fix or talk about today. it is about security in addition to privacy as a think all of you have pointed out that there's a connection there that is there. what your feelings come will write down the list in terms of if you've got some constructive come something bothers you, if

you think we need of a sense of urgency, a cup people ever have -- >> we will leave this here to take you live now to a senate foreign relations committee hearing on several state department nominees. you're watching live coverage on c-span2. [inaudible conversations] [inaudible conversations]