Transcript: US Senate Subcommittee Hearing on "Strengthening Data Security to Protect Consumers"
Justin Hendrix / May 9, 2024On Wednesday, May 8, 2024, Senator John Hickenlooper (D-CO), Chair of the Senate Commerce, Science & Transportation Subcommittee on Consumer Protection, Product Safety and Data Security, convened a hearing titled “Strengthening Data Security to Protect Consumers.” The hearing focused “on the importance of data security, and how to protect the confidentiality, integrity, and accessibility of consumer data and safeguard data against unauthorized access, including through data minimization and robust data security practices.”
Witnesses included:
- James E. Lee, COO, Identity Theft Resource Center (written testimony)
- Sam Kaplan, Assistant General Counsel and Senior Director for Public Policy & Government Affairs, Palo Alto Networks (written testimony)
- Prem Trivedi, Policy Director, New America’s Open Technology Institute (written testimony)
- Jake Parker, Senior Director of Government Relations, Security Industry Association (written testimony)
Witnesses pointed to the need for a national data privacy standard.
"Having a uniform national standard could provide more benefits to businesses and consumers while further enhancing data security and a national standard is something our members support. We've been following the renewed discussions here in Congress regarding the development of such a standard and we are encouraged by the progress in this." - Jake Parker, Senior Director of Government Relations, Security Industry Association
Data privacy and minimization can be regarded as a security principle.
"Minimum standards can reduce the risk of exploitation. Minimum standards are more than just metrics though, which is what we tend to think of. A lot of times they are practices like data minimization, which is a concept that is predicated on a very simple truth. If you do not have the data, you cannot lose it. And if it's secure, it cannot be misused until we get to quantum computing, and that's a different discussion." - James Lee, COO, Identity Theft Resource Center
The discussion turned to the sophistication of cyber threats like AI-generated phishing attacks and nation-state hacking campaigns.
"We have seen threat actors leverage this to create really sophisticated spear phishing attacks. Senator Blackburn brought up quantum quantum threats right now. There is a campaign of harvest now and decrypt later where malign nation states are collecting data, even encrypted data, knowing that this day that is coming where they'll be able to decrypt it." - Sam Kaplan, Assistant General Counsel and Senior Director for Public Policy & Government Affairs, Palo Alto Networks
The proposed American Privacy Rights Act (APRA) received praise, but concerns were raised regarding FCC preemption and possible unintended consequences.
"APRA includes some of the necessary pillars of sound privacy legislation. I won't list all of them, but I think it is germane to today's conversation. Strong data minimization principles, online civil rights protections, privacy rights for users to be able to view correct and opt out and delete their data, stop at sale or transfer. These are essential elements of data protection and consumer protection. And so we're heartened to see this credible proposal reemerge in terms of constructive areas to focus on, I think one of the areas of concern for us has been the scope of FCC preemption in APRA." - Prem Trivedi, Policy Director, Open Technology Institute
What follows is a lightly edited transcript of the hearing.
Sen. John Hickenlooper (D-CO):
Welcome to Subcommittee on Consumer Protection, Product Safety and Data Security. We'll come to order. I apologize for a little bit of the wait and Senator Blackburn will be here quickly. She's en route. We're at a pivotal moment in the age of technology that rely on increasing amounts of consumer data. Obviously, artificial intelligence has gotten the lion's share of publicity, but that's nowhere near the limit. Businesses collect or process data ranging from personally identifiable information, name, address, likeness. They say in college these days, obviously sensitive data, physical locations, browsing history, the threats to consumers’ data that companies face is complex and in almost every way daunting. As companies collect more data, they become more attractive targets for data breaches, and by that I mean criminal activity. Each breach costs companies nearly $4.2 million per incident and consumers shoulder the financial burden and the reputational harm of each incident.
How many more consumers need to be victims of identity theft for us to take action? How much longer should we allow personal data to be sold on the dark web for profit? When will cyber criminals be stopped or at least deter from preying on our data? These data breaches hope to hurt small businesses, large corporations, and everything in between. In 2023 alone, there were 3,205 data breaches in the US and that's what we know of that were reported. 353,000 individuals were severely impacted. 10% of publicly traded companies reported a data breach impacting in total 143 million individuals. These data breach breaches could have devastating effects. A nationwide wireless carriers data breach exposed the data of 70 million customers, a large health insurer, this was recently widely reported, saw their system grind to a halt, which delayed important healthcare payments and exposed critical health data. This is why we need strong requirements for how companies collect and protect our data.
By conducting routine risk assessments and establishing strong internal and external safeguards for data, we need a strong national privacy standard that includes data minimization and data security. Obviously data minimization establish the specific categories to turn off the spigot as it were to turn off the spigot of data. So the companies that the companies collect from consumers, so the companies aren't just collecting everything they can. Data security establishes clear requirements for how companies should safeguard the data that they do collect. So breaches are less common. We need to give consumers meaningful control over how their data is used. This will restore consumers' confidence in the technology that powers our economy, and I think states clearly are not waiting for the federal government to act already. 16 states, including Colorado, have passed or in the process of passing their own state privacy laws. Other states are talking about it.
Excuse me. There are lessons we can learn from these state laws. For example, Colorado's law has a temporary right to cure for businesses to comply or adapt to privacy requirements. There are also areas where the federal government has to step in to issue rules and apply enforcement, consistent definitions for key terms like sensitive data or to issue nationwide rules. The draft American Privacy Rights Act is an important bipartisan compromise framework for Congress to build upon. I commend Chair Cantwell and Chairman mc Morris Rogers in the house for their efforts to bring this proposal forward. We're committed here to listening to all perspectives on data minimization and data security. Minimization and security are obviously interconnected, interrelated. Together they represent the foundation of a strong data privacy framework upon which we can build. We have an opportunity right now and an obligation right now to build meaningful bipartisan consensus around these complex issues. That's why I look forward to the hearing today. With each of our witnesses, I'd like to welcome each of our witnesses who are joining us today. James Lee, chief operating Officer from Identity Theft Resource Center, Sam Kaplan who's the Assistant General Counsel of Palo Alto Networks, premier Trivedi, policy director for New America's Open Technology Institute, and Jake Parker, senior Director Security Industry Association. And now recognize our ranking member, our vice chair, Senator Blackburn for her opening remarks. Thank you so
Sen. Marsha Blackburn (R-TN):
Much chairman, and welcome to each of you and apologies for people kind of coming and going. We had a 2:30 vote that ended up getting called, but I am so pleased. I know Chair Cantwell and Ranking Member Cruz are on the floor right now. But I am appreciative that Chair Cantwell has brought privacy back into focus and I've worked for over a decade for Congress to take an action in this area. And when Senator Welch and I were each on the House Energy and Commerce Committee in 2012, we brought forward the data security and breach notification bill. It was the first of the privacy and data security bills and it was bipartisan. It would take steps to protect the security of data there from businesses. It would have required consumer data breach notifications and allowed the FTC and State Attorneys General to hold companies accountable for violations of the law.
So that is where we were in 2012. And as we now know this issue, since it hasn't been addressed and it hasn't been resolved, it is growing more and more urgent every single day for an action to be taken. The need for the swift adoption of smart and effective data privacy and security legislation is pressing for several reasons. First, China and other bad actors are not slowing down. Now, FBI director Christopher Wray was before us at a Judiciary Committee meeting and he said something pretty significant. He said, if you are an American adult, it is more likely than not that China has stolen your personal data. And he also said China's vast hacking program is the world's largest and they have stolen more Americans personal and business data than every other country combined. We need to be paying attention to this. This threat is especially magnified as China seeks to become the world leader in artificial intelligence.
By the time we get to 2030 China plans for AI to power its vast surveillance state and data collection and retention is at the heart of their strategy. At the same time as AI technology increasingly intertwined in our daily lives here in the us, consumers have valid questions about how their data is going to be used to train these large language models and AI applications. I hope today that we will discuss why we need federal privacy and security legislation to combat these threats. Second, Congress has passed the point where we risk seeding our authority to both states and other countries. As we all know, state governments are quickly enacting privacy laws, creating a patchwork of regulatory headaches for our businesses. 15 such laws exist including Tennessee and Colorado, and the Europeans have also beaten us to the punch. Several years ago they did GDPR. They are now using GDPR as the foundation for regulating AI.
Yet we can use the EU as something of a cautionary tale about the need to make our regulation smart and effective. I visited the EU to work on this issue last year and I heard stories from one of their data protection authorities about how they've been asked to resolve disputes over bank accounts after a couple divorced or to resolve a dispute between neighbors about the location of an antenna. So let's be smart. Let's not make these same mistakes and let's not overreach. We know our friends, the Europeans always have a heavier handed approach, which makes it even more imperative that we act in a thoughtful manner more without congressional action. The FTC will proceed ahead with its commercial surveillance and data security rulemaking, which it launched in 2022. Without congressional authority and Directive, congress should be setting these rules, not unelected bureaucrats. Finally, while this hearing will likely feature much discussion on concepts like data minimization in other data security practices, we must not forget about the cybersecurity threats posed by new and emerging technologies.
One area of great interest to Tennessee are quantum technologies through methods like harvest now and decrypt later. Once bad actors steal encrypted data today, nothing can stop them from decrypting your data tomorrow with quantum technology. That is why this committee must move quickly to examine this technology and reauthorize the National Quantum Initiative Act. I would love to work on this with our chairwoman and the team here at the committee. Tennessee is a leader in financial innovation in technologies like quantum computing and the Oak Ridge National Lab is at the forefront of basic and applied science research. When I speak with people in the state, they ask me how we can best tackle privacy and data security issues while also continuing to allow innovation to flourish. This committee must be thoughtful in our approach, but also mindful of the realities the congressional calendar imposes. I look forward to our discussion today and I so appreciate the testimony from each of you. Thank you, Mr. Chairman.
Sen. John Hickenlooper (D-CO):
Great. Now we'll hear the opening remarks from each of our witnesses. I always said the term witness gives a false sense of, I don't know, insecurity perhaps these days. Anyway, we'll start with James Lee, who's Chief Operating Officer, identity Theft Resource Center.
James Lee:
Thank you. Mr. Chairman, Ranking Member Blackburn. I am James Lee. I'm the Chief operating Officer of the Identity Theft Resource Center. I'll refer you to our full written remarks to find out more about the ITRC, but just so everybody knows, the core of our business is to provide free assistance to victims of identity crimes and we also do research and analysis on identity crime trends, which we make available to both the public and private sector. So a lot has happened since we were in this room back in 2021 to talk about this very same subject. We've seen bad actors shift their focus, we've seen them expand their reach and we've seen them accelerate their innovation attempts. We may in fact be at the very beginning of what is a golden age of identity crime.
It's fueled by stolen personal data made highly effective and efficient by AI with individuals and many businesses all but helpless to defend themselves. So why do I say that? I'll give you some scope of the problem. So data breaches are the fuel for identity crimes, all identity crimes and a fair portion of cyber attacks thanks to stolen login and passwords. In 2023, the total number of data compromises was 3,205 as the chairman pointed out. That impacted an estimated 353 million people because some people were hit more than once. That's a 78% increase from the year before. That's a 72 increase from the previous high, which happened the last time we had this hearing. From a financial standpoint, more than two thirds of the people who contact the ITRC are losing more than $500. Within that subset, 30% of them are losing more than $10,000 and we are now routinely hearing from people who are losing six and seven figures in financial losses due to identity scams.
The most troubling trend though is the number of people who have decided that their only way out is self-harm. 16% of the people who contacted us in 2023 said they contemplated taking their own life. For the decades before that, that number had never been higher than two to 4% and now 16% doubled in one year and we do not see it slowing down. And also unlike past years, we now hear routinely from grieving families who are still being attacked by the identity criminals who are trying to keep the scam going. We don't advocate one way or the other for legislation or regulation for the most part, but we do provide objective information. So with that in mind, we're still the same place we were last time. The best way to help identity crime victims is to prevent victimization in the first place. And an important part of preventing identity crimes is through uniform minimum standards for data protection and use minimum technical and non-technical standards are essential in our world.
That's driven by software and fueled by data compliance with comprehensive but not necessarily prescriptive. Minimum standards can reduce the risk of exploitation. Minimum standards are more than just metrics though, which is what we tend to think of. A lot of times they are practices like data minimization, which is a concept that is predicated on a very simple truth. If you do not have the data, you cannot lose it. And if it's secure, it cannot be misused until we get to quantum computing, and that's a different discussion. Routine risk assessments also help ensure information systems are secured in a manner equal to the risk. That's very important, equal to the risk that an organization faces. You add two other complementary concepts, privacy by design and security by default, and you have all the tools needed to keep privacy and security at the forefront of a company's culture and in every stage of a product's life.
To be effective in reducing identity crimes, uniform standards also need strong enforcement. Defenders must continually measure their progress and constantly adjust to the new tasks, and you do that through audits. There's also the need for strong enforcement actions when it comes to data breach notices, which are increasingly ineffective even if a notice is issued. Lemme give you two examples. In the first three months of this year, 32%, 32% of data breach noses had some information about what caused the data breach if it was linked to a site of bear attack, reverse that number and that tells you how many. It didn't include information about what happened. That number was 100% of data breach notices until the fourth quarter of 2021. The average number of new data breach notices in the US is nine per day in the European Union. One of the things that do get right 335 every day, we are missing data breach notices and there are plenty of examples to prove that.
Lemme leave you with one final thought. If we adopt data minimization and we should, and if we give consumers more access and control over their personal information, that is a vital part of data protection, they can significantly reduce the amount of personal information at risk of a data breach and misuse by criminals. But because you knew there was going to be one, but personal information used responsibly and transparently is important for proving a person who they claim to be in a variety of transactions from opening a bank account to applying for a government benefit, et cetera, but they also effectively prevent someone from becoming a victim of identity fraud because of stolen personal information. Restricting the use of personal information for identity verification of fraud prevention is part of consumer control or data minimization could have the unintended effect of actually aiding identity criminals and negatively impacting communities that are already disproportionately affected by identity crimes. So thank you for your time and attention. I look forward to answering your questions.
Sen. John Hickenlooper (D-CO):
Thank you very much. Now Mr. Sam Kaplan, who is the assistant General Counsel of Palo Alto Networks and has spent a considerable amount of time in Colorado.
Sam Kaplan:
Thank you Senator Chairman Hickenlooper, ranking member Blackburn and distinguished members of the committee. Thank you for the opportunity to testify on how cybersecurity is a critical and foundational element of data security and consumer protection. Again, my name is Sam Kaplan and I'm senior director and assistant General Counsel for Public Policy and Government Affairs at Palo Alto Networks. I've spent the bulk of my career working at the intersection of cybersecurity, national security and data privacy. Prior to joining the private sector, I was proud to serve in a number of positions across the federal government to include as the DHS Chief Privacy Officer served on the Privacy and Civil Liberties Oversight Board and at the US Department of Justice. For those not familiar with Palo Alto Networks, we are an American headquartered company founded in 2005 that has since become the leading cybersecurity company. We proudly provide cyber defense capabilities to enterprises around the world, supporting 95 of the Fortune 100 critical infrastructure of all shapes and sizes, the US federal government, universities, educational institutions, and a wide range of state and local partners.
This means that we have a deep and broad visibility into the cyber threat landscape. We are committed to being a good cyber citizen and a trusted security partner with the federal government. It's no secret that cyber attacks cause real impact to our daily lives, from disruptions of public services like healthcare or emergency services to compromises of American sensitive data. With that backdrop, Palo Alto Networks strongly believes that deploying cutting edge cybersecurity defenses is a necessary and effective enabler of data security and privacy. Bottom line, effective data security and data privacy requires cutting edge cybersecurity protections. Organizations should be encouraged to protect data by implementing robust data and network security practices that can both help prevent incidents and data breaches before occurring in the first place and mitigate the impact should an incident occur. To stay ahead of this evolving threat landscape, cybersecurity professionals regularly leverage security data, which is the network telemetry, the ones and the zeros.
The malware analysis, the IP addresses, the vulnerability enumeration that we must ingest and analyze in real time to optimize cyber defenses. To that end, we are heartened to see cybersecurity generally included in privacy frameworks as a permitted purpose that companies like ours can use to collect, process, retain, and transfer security data to in turn better protect those systems and data from compromise. Today's cyber threat landscape requires that approach and everyone's personal privacy will benefit from that framing. To that end, Palo Alto Networks recommends organizations focus on the following actions to bolster their cyber resilience and increase their data security posture. First, leverage the power of AI and automation For too long, cyber defenders have been inundated with alerts to triage manually, which can lead to data breaches. AI can help flip this paradigm. Second, ensure complete visibility of attack surfaces to help identify and mitigate vulnerabilities before they can be exploited.
Third, implement a zero trust network architecture to prevent and limit an attacker from moving laterally across the network. Fourth, promote secure AI by design to assist with inventorying AI usage, applying policy controls and securing applications built with artificial intelligence. Fifth, protect cloud infrastructure and applications. As cloud adoption accelerates, cloud security cannot be an afterthought. Six, maintain and test an incident response plan to prepare for and respond to cyber incidents. Our team at Palo Alto Networks is dedicated to securing our digital way of life. We enthusiastically participate in a number of forums like CISA, JCDC and share our situational awareness and understanding of the threat landscape with those key partners. Our collaboration and forums like these reinforces that cybersecurity is truly a team sport. Thank you again for the opportunity to testify on how cybersecurity is a foundational requirement of data privacy and I look forward to your questions.
Sen. John Hickenlooper (D-CO):
Thank you, Mr. Kaplan. Now I'll introduce Prem Trivedi, who is the policy director for New America's Open Technology Institute.
Prem Trivedi:
Chair Hickenlooper, Ranking Member Blackburn members of the committee. Thank you very much for the opportunity to speak with you today. I'm Prem Trivedi, the policy director of the Open Technology Institute at New America, a nonprofit and nonpartisan organization dedicated to realizing the promise of America in an era of rapid technological and social change. Since 2009, the Open Technology Institute or OTI has worked to ensure every community has equitable access to digital technology and its benefits. OTI has long emphasized the need for a strong federal standard in privacy and data security that protects consumers while retaining sufficient flexibility for innovation. This takes me to my first point. Data security and consumer privacy are two sides of the same coin. Strong data security safeguards, including minimization, are vital to protecting consumers. And data minimization, as you mentioned in your remarks, is a powerful principle that requires collecting, using, sharing, and retaining only the data necessary to provide a service or a product.
And strong data security safeguards are urgently needed in this era of AI training. Many AI models requires ingesting huge data sets, and as companies race to acquire more data, the pressures to adequately protect it keep increasing. And so a baseline federal standard on privacy and data security is essential to ethically and effectively regulating AI development. And I'll add cybersecurity practitioners also recognize minimizations benefits go beyond consumer privacy because it can reduce threats posed by breaches and other security incidents. In short, companies can't misuse data that they don't have and hackers can't steal data that companies don't have. My next point is that research shows Americans want strong data security and minimization protections. There's no uniform national standard that protects all types of data. And Americans know that online data collection and tracking of their activities is pervasive. It's probably why 75% of Americans lack confidence that the government will hold a company accountable if it misuses or compromises their data.
And all of this concern about data security and privacy is negatively impacting consumer trust in AI and in leading AI companies, many of which are US companies, small and large. The good news is that more than two thirds of Republicans and Democrats support more regulation of companies data use. And we've been heartened to see the recent reemergence of a credible bipartisan bicameral legislative proposal on privacy and data security via the American Privacy Rights Act. The next point I'd like to make is that a strong federal data minimization regime would replace the broken approach in American privacy governance that relies on notice and consent alone. We know it would take people hundreds of hours to read all the privacy policies that they encounter in just a year. And most Americans, even most privacy professionals, respond to this unfair burden on consumers by clicking agree without reading those policies.
This isn't meaningful notice, it's not meaningful consent and it's not clear either is really achievable in most of our online activities. Data minimization is so important because it shifts the responsibility onto companies and from consumers to use only what the companies need to provide products or services. And I want to point out this is far from a new concept in law or corporate risk management playbooks. So I think we can get the benefits of data minimization without stifling innovation or overburdening smaller companies. The last main point I'd like to make is that a broad set of best practices in data security should become baseline safeguards across all sectors of our economy. And here's a short list of those best practices. First, as I've emphasized so far, collect, use, share and retain only data that's relevant. Second, whenever possible, use encryption to securely store and process data.
Third, apply strong controls that ensure only the people who should be able to access data can in fact access that data. Fourth, use strong methods for authentication including multifactor authentication. Fifth, further study and standardize over time uses of privacy enhancing technologies. And sixth, routinely assess and mitigate against data security vulnerabilities. Something you've heard from other witnesses as well. There's no such thing as perfect data security, but these common sense best practices should be requirements in federal law that are applied flexibly enough to account for different company sizes and technical capacity. In conclusion, data protection is consumer protection and we need a national legislative framework that requires and incentivizes responsible data stewardship continued US leadership on AI requires Congress to address the consumer trust gap and we appreciate the committee's bipartisan leadership on data security and privacy. Thank you again for the opportunity to testify before the subcommittee. I look forward to your questions.
Sen. John Hickenlooper (D-CO):
Thank you very much. Now go to Mr. Parker. I've forget what, you're the Senior Director of Security Industry Association. Thank you for being here.
Jake Parker:
Good afternoon, Chairman Hickenlooper, Ranking Member Blackburn. Thank you for the opportunity to participate in today's hearing. Again, I'm Jake Parker with the Security Industry Association. This is a non-profit trade association representing more than 1500 companies that provide products for protecting lives, property, businesses, schools, and critical infrastructure throughout the nation. So data security is essential to the operation of security systems and services, and our members are committed to protecting personal data, whether it's consumer or operational. Data practices like data and immunization and privacy by design enhance the end to end security needed for successful implementation of many types of these products. For example, when it comes to access control and video systems, features like data encryption, which we talked a bit about here, permissions based access, decentralized data storage, edge device processing, audit capabilities, and data deletion schedules all serve to limit the availability of data for potential misuse and limit the usefulness of data if it is compromised.
Another example, our members provide the multifactor authentication and remote identity proofing services that are becoming essential to preventing identity theft in fraud as attackers become more sophisticated. These advanced technologies provided by our industry, especially biometrics, are providing higher assurance authentication while reducing exposure of passwords and other personal information that is far more vulnerable to exploitation by identity thieves and cyber hackers. As we've heard from the other witnesses, there are very serious and rapidly increasing threats to data security that must be addressed and beyond technical standards, product features, best practices and security tools. Having the right public policies in place will also address data privacy and security. And there's a key role for those. So states like Colorado, Texas, Tennessee, and by my count by the end of this month, there'll be a total of 19 states that have enacted comprehensive data privacy and security laws which cover over 160 million Americans or almost half the population.
However, having a uniform national standard could provide more benefits to businesses and consumers while further enhancing data security and a national standard is something our members support. We've been following the renewed discussions here in Congress regarding the development of such a standard and we are encouraged by the progress in this. It's essential that data can continue to be utilized as needed for safety and security purposes. For example, our members and their customers are often their first to raise the alarm and emergencies where having the right data helps law enforcement and other responders get to where they need to be as quickly as possible. And also mentioned earlier, there's many technologies used for authentication that will be essential to accomplishing the goals of the draft proposal that we are looking at in section nine, which I think was mentioned earlier. So having a uniform and workable national standard requires a strong state and local preemption to avoid layering additional requirements.
And this is really important to our industry. It also needs to limit risk to businesses from opportunistic abusive lawsuits, which we've certainly seen in some jurisdictions over privacy matters and need to make sure that we accomplish those two objectives in what we put forward. So I appreciate you holding this hearing and your leadership and putting a spotlight on data security now as an organization where we're doing what we can through our data privacy advisory board and our cybersecurity advisory board in particular to provide key resources and urge adoption and best practices for data security in our industry. As I outlined in my written statement, and again, thank you for the opportunity to participate and behalf of SIA and our members who look forward to continuing to working with you on these issues.
Sen. John Hickenlooper (D-CO):
Great, thank you all again for being here. I realize how busy you all are and it's some sacrifice. You come and share your information, your wisdom, your data with us. Lemme start off with you, Mr. Trivedi. Lincoln famously said, with public sentiment, nothing can fail, without it, nothing can succeed. Various states have established their own laws soon to be 19 states that will pass their laws. And this is all about what types of data businesses can collect, how consumers should be notified, consumers can be better protected. I think businesses can more fairly compete when there are clear consistent rules of the road. And especially for small businesses, I think this is essentially important. So Mr. Vedi, how do you believe a national standard for data minimization and securing data ultimately benefits customers and their privacy and maybe a thought about how we get the word out to them to get that public sentiment behind us?
Prem Trivedi:
Thanks so much for that question, Chair Hickenlooper. I'd start by saying Americans know that their data represents the most sensitive aspect of their lives and that's why they're clamoring for strong protections for it. And as you've said, a national standard would set equal protections for all Americans, but also set uniform expectations for all companies, which is something that they have been clamoring for as well. And that kind of clarity in the regulatory environment is sorely needed because the US legislative regime for data privacy and security is fragmented in ways that make consumers more vulnerable. And then it require companies, and this is particularly burdensome, I think, for smaller companies to develop complicated compliance programs in response to state patchworks and in the absence of clear national rules of the road. I think I would also add to your question about small business in particular that many of these small businesses do not want to be hoovering up as much data as possible to run their business, but because there aren't sort of credible, strong and flexible national standards, they may feel as though there's a competitive disadvantage if they're not collecting as much data as possible.
That as we've heard, puts consumers at risk. It also puts those companies at risk. And so I think that a data minimization approach and a data security approach that's common at the federal level helps these companies do what they want to do, which is be responsible data stewards.
Sen. John Hickenlooper (D-CO):
Well, I agree, but certainly hope you're right. Certainly AI has created a fascination with the value of all data and there seems to be a little bit of a race on minimization is not quite appearing as frequently as it had been since AI has gotten more currency. Mr. Kaplan, on a bipartisan basis, Congress passed the cyber incident reporting for Critical Infrastructure Act a couple of years ago to require critical infrastructure operators to quickly report cyber incidents so we can understand the threat landscape as it changes. The FTCs also investigated and issued penalties against companies that were found to be unfair or deceptive in their data security practices after the consumer data was exposed. Gathering and sharing information about specific ongoing attacks as well as the broader industry trends helps us establish the defenses to prevent future incidents, especially obviously data breaches across sectors. So in your experience, Mr. Kaplan, which vulnerabilities do you think are most important to address in order to prevent data, prevent criminals from assessing or accessing consumer data?
Sam Kaplan:
Thank you, Senator. That's a very great question. So in our experience and conveniently every year, Palo Alto Networks publishes an incident response report, which provides an aggregated summary of the key trends that we've seen and had and how adversaries are looking to break into systems across the country. In this past year, we found that internet facing software vulnerabilities actually surpassed phishing attempts as the primary vector for attacks to take place. These are essentially open doors that are available on public websites that haven't been patched through updates or upgrades to software and systems. As a result, the adversaries are able to leverage these vulnerabilities with relevant ease to gain entree into these systems.
To that vein, all vulnerabilities should be taking seriously. But the one vulnerability that we've noticed that is particularly troublesome is called a remote desktop protocol or an RDP vulnerability. This in particular if exploded, these can provide threat actors and attackers easy access to a deep level of administrative privilege into a victim system to better and quicker exfiltrate data. These RDP vulnerabilities will unlock the keys to the kingdom, if you will. So there particular concern for our company with adversaries growing increasingly sophisticated, it's critical that we make it as difficult as possible through layered defenses and some of the best practices that I identified in my opening statement with regard to zero trust architecture to prevent attackers from moving laterally across the system and to close those open doors and to have better understanding and visibility into your relative attack surface.
Sen. John Hickenlooper (D-CO):
And we'll get back to some of that. The danger of any hearing like this as we do call attention to some of those open doors but increases your commercial activity in all of yours. I'm going to turn it over to my vice chair, Senator Blackburn for some questions.
Sen. Marsha Blackburn (R-TN):
And thank you all so much for your testimony and I appreciate getting your perspectives on this. I want to start with GDPR. I mentioned that in my opening remarks. And let me ask you, are each of you involved in some way in the EU or your companies involved in some way in the eu? Show of hands is fine. Okay. So two of you are Mr. Trivedi. You're trying to decide if you are or not
Prem Trivedi:
Only to say that, that we're not a company so no business in the EU, but we're a nonprofit that certainly tracking
Sen. Marsha Blackburn (R-TN):
Mr. Lee, likewise. As we look at this, and as I mentioned, our friends in the EU know they went a little bit too far, but companies already have these protocols in place to meet the GDPR standard. So as you look at what they have done in the eu, and Canada has a law, New Zealand has a law, and Australia has a law all protecting their citizens in the virtual space. Mr. Lee, start with you and just go down the line, what should be the lessons that we learned and what should we take away from the GDPR experience? Go ahead and just very quickly so I can work on through my questions.
James Lee:
The things that I think they got right do deal with some of the more technical aspects of making sure that you are having the programs that you need in place and that they meet the risk that you are facing. So it's not a prescriptive necessary, necessarily standard, but it's, you have to assess and report and then when there is a data breach, you have to report that to the data authority for that country.
Sen. Marsha Blackburn (R-TN):
So their assessment reporting mechanism, you would say they got it right. Mr. Kaplan?
Sam Kaplan:
Thank you, Senator. That's a great question. I would say from a macro level, the things that they got right are sort of a uniform standard regulatory complexity across multiple markets just increases costs. And from a cybersecurity perspective, the sources and the resources that are dedicated to responding to incidents should be operationally responding to incidents rather than looking at regulatory compliance.
Sen. Marsha Blackburn (R-TN):
As I say, we need one set of rules for the entire internet ecosystem with one regulator.
Sam Kaplan:
Predictability and lessening regulatory complexity is one of the hallmarks.
Sen. Marsha Blackburn (R-TN):
It's a one of the, it's a good thing, isn't it, Mr. Trivedi?
Prem Trivedi:
Thank you, Senator, for the question. I think the first lesson is something you highlighted, which is moving swiftly to establish that uniform standard. That's something we should emulate. I think it's worth saying GDPR has probably not been strong enough on data minimization that I think the regime we're hopefully working towards here in the United States could do it better. I think GDPR arguably gives too much deference to companies to decide what minimization means. And I think while we should have sort of a reasonableness thing and a flexibility, we need a strong and flexible approach, I think there's an opportunity for an American approach that's different and that works for us.
Sen. Marsha Blackburn (R-TN):
Okay. Mr. Parker?
Jake Parker:
I would say the emphasis on reasonableness, proportionality and consent is very similar to what a lot of the states have done already. So you have similarities between those two, which obviously was pointed out is a little bit different than what the proposal we're talking about now at the federal level is. But just based on what I've also, some feedback from members we've had is there has definitely been an issue with conflicting interpretations over time from the National Data Protection authorities within the EU that's causing problems for businesses that are doing work across the eu, different jurisdictions, but also there's the potential, this is I think, relevant for us here, that there's overlap between the AI Act and the GDPR and in some cases those areas of overlap are going to get resolved one way or another, but it's causing some confusion
Sen. Marsha Blackburn (R-TN):
And digital marketing and digital services and some other, the overlap there. Let me, I want to go to the data minimization issue and again, just down the line, Mr. Lee, starting with you, what is your opinion of data minimization as a security principle in this debate?
James Lee:
I think it has to be integral. If we're going to reduce identity crimes, we're going to have fewer victims. We have to reduce the supply of data that can be abused by individuals if it's stolen or even if it's just accidentally exposed. If you don't have it, you can't expose it. You can’t…
Sen. Marsha Blackburn (R-TN):
So you tie the two.
James Lee:
I do, yeah.
Sen. Marsha Blackburn (R-TN):
Okay. As you said, data breaches are the fuel that ties in. Mr. Kaplan.
Sam Kaplan:
Senator, from a macro perspective, I think data minimization is an increasingly useful principle, especially in lessening the attack surface, particularly for those companies that are doing business with consumer focused data. To that end, that's also where we think that legitimate and broad, not broad, but targeted, permissible purposes, like protecting the information can be critical, but minimization can be an important tool. So
Sen. Marsha Blackburn (R-TN):
You would segment it?
Sam Kaplan:
Correct.
Sen. Marsha Blackburn (R-TN):
Okay. Mr. Trivedi?
Prem Trivedi:
Thank you, Senator. I would say data minimization is an essential part of data security. Safeguards central to it for the reasons that other witnesses have highlighted as well, which is to say the attack surface is lessened when you are intentional about collecting only what you need. Again, you can't exfiltrate or hack what isn't there in the first place.
Sen. Marsha Blackburn (R-TN):
Alright, Mr. Parker?
Jake Parker:
Yeah, I would say, I mean there is a bit of a difference between data minimization as an operational principle and a policy principle. So certainly from an operational standpoint, that definitely plays a big role in data security from a policy perspective. I know there's the overall approach of having a set number of permissible purposes for collecting and processing data certainly could work. I know there's some questions out there about what about future proofing this? So then the future, is that going to be too narrow and do they cover what they need to now, those are all legitimate questions, but certainly an interesting approach.
Sen. Marsha Blackburn (R-TN):
Great. Can I ask? Sure. Oh, Peter's here. So I didn't see him. Go ahead and go to him. I've got another question I want to ask.
Sen. John Hickenlooper (D-CO):
I've got Senator Klobuchar on as well. Want to ask a question.
Sen. Marsha Blackburn (R-TN):
I do. I wanted to talk about China because we just enacted legislation to force fight dance to divest from TikTok. And the data security threat from China is broader than just TikTok and a more holistic approach rather than plaguing whack-a-mole is required on this. The problem goes beyond apps and we know that China is using drones and cranes and potentially routers to spy on Americans. So how should Congress approach the broader data security threat from China and what do you see as a good policy solution to this? Mr. Lee?
James Lee:
I'm just a humble victim advocate, but we do have to recognize that nation states maybe not for the same reason as professional criminals. They want the information and it's important that it is protected from whomever wants to misuse it for whatever reason they want to use it. China is certainly a nation state that has great capabilities. We know that they have a lot of data about individuals. For intel purposes, we have to assume there are other countries, friends and foes that do the same. So an approach for data protection needs to be universal in its approach to whomever is acquiring the information.
Sen. Marsha Blackburn (R-TN):
Mr. Kaplan.
Sam Kaplan:
Senator? Yeah. The threat from China is something that we are tracking every day on a regular basis, both the threat with Exfiltrating information to China, but also other malign nation states that are looking to leverage sort of data within the United States. As a cybersecurity company, we're principally focused on the security of the networks and information systems upon which that data relies. So broader policy questions about how to deal more holistically with a problem may be outside of our purview. To that end, we would encourage strong cyber protections with regard to those systems and encourage information sharing with the federal government like we enjoy and we regularly partner with regard to that threat.
Sen. Marsha Blackburn (R-TN):
Mr. Trivedi.
Prem Trivedi:
Thank you for the question. I think you're importantly highlighting the ways in which data security and data protection have a national security dimension. We've been talking about consumer protection, which is vital. We've been talking about people's privacy, but this is not all occurring just in the context of what's happening with our own borders. And as Mr. Kaplan mentioned, I think there are a number of nations in competition for one another's data, and there are costs to that. I would say to answer your question about the right policy approach, at the top of the list should be establishing a federal data security and privacy protection standard. I think that's essential because it does all the things we've talked about, but also confers national security benefits on America as well.
Jake Parker:
And certainly what was just mentioned is establishing that standard in the federal privacy framework we're talking about would go a long way to doing that. Certainly anything that's internet connected devices is a target for exploitation by nation state actors. Implementing certain encryption protocols in our industry, as I'm aware, is pretty important, protecting those specific kind of devices. And I would say though, as an additional side note, there's also been a large shift within our industry away from manufacturers in China, in sourcing equipment there that could possibly have vulnerability. So I'd say especially in the commercial sector, it's been a near complete move away from those sources.
Sen. John Hickenlooper (D-CO):
Great. Thank you.
Jake Parker:
Senator Welch.
Sen. Peter Welch (D-VT):
Thank you very much. It's good to be here. Senator Blackburn, it's always wonderful to see you continuing this pioneering work that you began when you were in the house, and it's only got more complicated, actually. Let me ask you a few questions about the privacy issues for individuals and then the cybersecurity. That's essential for everyone. I mean, as you know about 72% Americans believe there should be more regulation over what companies do with people's data, 67%, and I'm among the 67 report, little to no understanding of how companies use their data and 73% report that they believe they have little or no control over what companies do. So there's a question about my data, citizens' data and what companies do. Then there's the question about hacking into systems and tech companies have a high self-interest in doing everything possible to protect against hacking because it hurts them and their customers. I mean, where's the difference in responsibility for protecting the system from being hacked? And I hear you saying there should be a national standard and that national standard. What does that mean for small businesses that just don't have the financial wherewithal to be able to bear that burden and what those recommended protections, how they could be integrated affordably, organically into systems that a small mom and pop business might deploy. And I guess I'd start with you Mr. Lee.
James Lee:
Thank you, Senator. Let's work backwards. Particularly for small businesses. This concept of the risk assessment is very important
Sen. Peter Welch (D-VT):
That they have to do themselves?
James Lee:
That they would do themselves because that's where they understand where the risk is. So if you're prescriptive and you say you must do X, but you have no risk of that ever happening, that is a waste of their time and their energy and their money. But if you do a risk assessment so you understand exactly what you are facing in your unique business based on the information you have from your customers, then you are meeting that risk as it is today, and you're monitoring it to see what you have to do to go forward.
Sen. Peter Welch (D-VT):
Let me push back a little bit. I'm just thinking, let's say it's a small record producer in Nashville in a new startup. I mean, for that person in business to be talking to the customers about what they need and then being able to make the decisions to deploy, that requires a level of sophistication that may not be the level of sophistication required to be a good record producer. I have your small law firm, let's say I was in a law firm with four lawyers. It was pretty smart, small. We didn't have the demands or the capacity to do what the major Wall Street firms do. So what you're describing as a step that we should take seems out of reach to me for the millions of small businesses we have. It seems to me that this should be just available, baked into what it is you buy.
James Lee:
I guess I would view that that's actually the foundational step. It's the one size fits all approach, which we have taken here to four is what burdens small businesses, but when you take a tailored approach where it's specific to their business and specific to their data, then you don't have to do things which you're never going to.
Sen. Peter Welch (D-VT):
So no, that makes sense, but what's the expense associated with that?
James Lee:
It depends on which tool you're using. If you ...
Sen. Peter Welch (D-VT):
Give me a ballpark, I mean, I'm worried about the small businesses having to deal with these massive impacts on their small business.
James Lee:
As we've got representatives of the world's largest cybersecurity organization, but there are small mom and pop managed services providers that that's what they do. There's I'm sure hundreds of them even in the Nashville area in every city, there are people who do that.
Sen. Peter Welch (D-VT):
Okay. Mr. Parker, thanks. You mentioned future proofing, which makes a lot of sense to me. But one of the things that I've found frustrating as a member of the house and now in the Senate is we can't keep up with all the changes and all the methodologies by which there is hacking. And I, even those who are far more expert in Congress on technology issues, I don't think can keep up with it. Senator Bennett. And I think that the time has come where we actually need an agency, a digital commission, much like say the FTC or the FCC that is properly staffed, properly resourced, and has the capacity to keep up. Because if it's a one-off bill that's dealing with problem A or problem B, it's a very cumbersome and difficult process to get it done in a timely way through Congress. Do you have any thoughts on the wisdom of having such an entity that would have as its ongoing challenge, protecting privacy in considering other issues related to tech?
Jake Parker:
Yeah, I mean, so that's a great question and I apologize I don't, don't have a great answer, but I know that obviously the state of California has done something like that having a privacy agency. And so I know the issue has been discussed here as far as creating something like that. I know there's probably the opinion that most of we have existing agencies are playing that role, but I understand what you're saying. I know it's definitely bifurcated the way it is currently.
Sen. Peter Welch (D-VT):
Well, Mr. Trivedi, you mentioned there should be a national standard, right? Yes. Yes. That makes sense to me. Who determines what that national standard is?
Prem Trivedi:
Well, I think that legislation would emerge from a number of stakeholders working together, but I would emphasize that it should be both strong and flexible. To your point about how smaller businesses are able to comply, we cannot expect a small record store, to your point, collecting potentially far less digital data than a large tech company to
Sen. Peter Welch (D-VT):
Meet. Same standard. What would a national standard look like? And strong and flexible makes a lot of sense to me. So what you're saying I agree with, but I'm trying to think about the practical way, A, to define it, B, to implement it, C, to change it, and this sitting up here, I know that's a tough ask for, are the folks in this job who are determined to do the best they possibly can? So do your best to answer that question.
Prem Trivedi:
Sure. Thank you, Senator. It is a very good question. I mean, I think there are some best practices I listed out as near universal that would apply. So for example, even small businesses can think about and implement access controls to make sure employees who don't need certain data can't access it. They can engage in data minimization relevant or relative to their capacity, which is to say think hard about what they really need and what they don't need. They shouldn't keep because it's also a risk to them. No, but
Sen. Peter Welch (D-VT):
We have to make… the legislation has to determine that. It's not like you're asking the individual to determine that, right?
Prem Trivedi:
That's right. I think legislation should establish sort of a strong set of practices, but that there should of course be flexibility in how businesses of varying sizes comply with it. But there should be some basic requirements that are common.
Sen. Peter Welch (D-VT):
So do you have a template of what it is you think Congress should pass?
Prem Trivedi:
Well, I think we've seen some credible bipartisan proposals. I think there's good progress being made via the discussion draft of the American Privacy Rights Act. I do think that is a very promising proposal on the table today. But in terms of a template specifically for how small businesses can operate, I think that's something that we could get back to you on, I think more about.
Sen. Peter Welch (D-VT):
All right. Thank you. I yield back.
Sen. John Hickenlooper (D-CO):
Thank you. Now we have by remote Senator Klobuchar.
Sen. Amy Klobuchar (D-MN):
<Inaudible>
Prem Trivedi:
I do. Senator, thank you. I think access and control rights are very important for consumers.
Sen. Amy Klobuchar (D-MN):
Okay. Thank you Mr. Lee. And I'm having trouble hearing it. I'll just try my best here. Mr. Lee, we also need to educate Americans on how to identify and react to cyber threats. We know there's phishing schemes going on. Senator Thune and I have introduced the American Cybersecurity Literacy Act to educate the public on cybersecurity risk by requiring NIST to conduct a cybersecurity literacy campaign. Can you talk about the importance of educating Americans on how to identify and avoid cybersecurity threats?
James Lee:
Well, education is a key to so many different things, and particularly in this case, it is a part and parcel of keeping people safe. One of the things that we learned from talking to victims every day is they are very curious about how to make sure it doesn't happen to them again. So having a comprehensive approach that is led by the federal government would be very helpful because we overall identity crime victims don't get a lot of support anyway because a lot of times people think of them as victimless crimes and trying to avoid that crime is even more difficult. So education is going to be a key part of making sure that we are keeping people safe in this increasingly dangerous cyber world.
Sen. Amy Klobuchar (D-MN):
Agree. Mr. Kaplan? In just the past five months, we've seen significant data security breaches, obviously, United Health Group, AT&T, Microsoft, because these companies maintain large amounts of data on huge swaths of the population, hacks often can affect tens of millions of people. In your testimony, you noted that large companies have twice the number of systems exposed on the internet than what they were monitoring. What complications to protecting consumer data rise from simply holding such vast amounts of it?
Sam Kaplan:
Thank you for that question, Senator. Yeah. Holding that vast amount of data just increases your attack surface and your vulnerability and makes you a more likely target of the maligned threat actors in nation states that are looking to sort of divine and exploit, pull out that data to make strategic use of it. With regard to the attack surface, this was one of the basic cyber principles that we also talked about. It's understanding what your internet exposed attack surface looks like. Understanding how many of the portals into your system are open to the public internet and having visibility into existing vulnerabilities, misconfigurations, not updated pieces of equipment or software that are exposed to the open internet that just give those malign actors entry into the system. So having visibility into the ecosystem and what your attack surface looks like to the attacker, we think is a critical piece of securing your infrastructure. That combined with knowing what your data is, is all a critical element of maintaining customer confidence.
Sen. Amy Klobuchar (D-MN):
You also noted in your testimony that the UnitedHealthcare change data breach is likely to be the largest supply chain breach of this Mr. Lee, the largest supply chain attack in history. Because of how many organizations depend on change to process insurance payments when an entire industry relies on only one or two digital supply chain providers that hold and process huge amounts of data, how does that affect the impact of a cyber attack.
James Lee:
For a cyber criminal? It's a nirvana. If you can find a supply chain rather than have to attack a series of companies one at a time, if you can find that one organization that has weak cybersecurity, but lots of data from not just one company, but all of their customers, all of the people they support, they're going to get massive amounts of data. And we've seen at the ITRC, we've seen a 2600% increase in the number of organizations hit by supply chain attacks. Not just that they were attacked. You may only have a hundred companies attacked last year, but you had 2,600 companies that were impacted by it. Their data was exposed. So for a criminal, these things are incredibly profitable, and it's something that the whole topic of this conversation is how can we bring these other organizations up to speed? So you do not have that risk from vendors to the larger organization?
Sen. Amy Klobuchar (D-MN):
Yeah, I mean, we have been helping dozens and dozens of hospitals and pharmacies and other healthcare providers in our state to become whole and to be able to function ever since this data breach and clearly work has to be done here. So you can't have all this data in one place and then they don't have backup systems. Would that be one of your suggestions? What would be your suggestions to protect this data? And this will be my last question.
James Lee:
From a data protection standpoint, I mean there's a lot to that. Only one part of which would be backups. There are just so many parts of the healthcare supply chain. It has been the industry that is most attacked for the last six years running because there are just so many different parts of it. So many members from mom and pop organizations all the way up to a United Healthcare. So while there are key things that they need to be done, a big part of it is just making sure that everybody in that supply chain is aware they are a target, they are at risk, and to act accordingly.
Sen. Amy Klobuchar (D-MN):
Exactly. Okay. Thank you very much. Thanks everyone. Appreciate it.
Sen. John Hickenlooper (D-CO):
Thank you. Senator. I still got some questions and I think there's one or two people might be on their way here, so I'll indulge myself, Mr. Parker, and I don't want to get you in trouble with any of your members in any way, but the requirements for reporting a breach, whether it's ransomware or phishing or whatever it is, really the penalties, unless someone pays a ransom, the penalties so far don't appear to be significant in almost all cases. Does there need to be some sort of an incentive or some way to reward some of the smaller breaches that are happening more frequently that don't get the attention and yet are, as I'm sure you're aware, costing us tens of hundreds of millions of dollars as a country? I mean within the framework of your membership, how do we get everyone eager to make sure that they report each incident?
Jake Parker:
That's a great question. So it's been a little while since I looked at this. I know I think every state has a law on breach notification. They're different in some ways. Some have a private right of action applied to them. I think it…
Sen. John Hickenlooper (D-CO):
Definitely has some of those requirements as well. But there's just not a heavy hand. It's fairly light.
Jake Parker:
I know for the others witnesses might have a better idea here, but certainly it's something that should be a priority for the AGs that are enforcing these rules.
Sen. John Hickenlooper (D-CO):
But again, they'll need some penalty or there needs to be some incentive, some way of moving people. Anybody else want to comment on that? Don't feel the obligation. I have more questions.
James Lee:
Oh, I've got comments. To your point, it took from 2003 until 2018 to get all 50 states, the territories in the District of Columbia to have a data breach law. And they're all different. They all have different triggers of what constitutes a breach. They all have different requirements for what is in a data breach notice. And in every instance it is the organization that has lost control of the data that gets to decide if there is a notice. Oregon will allow a consultation with law enforcement, but other than that, the organization makes the determination where you live determines how much information you have, if you have any information and what resources are made available to you. So when we talk about national standards, that's why we mentioned data breach notifications have to be part of that because those are both education opportunities for the individuals and their opportunities to make sure that we don't have repeat occurrences.
Sen. John Hickenlooper (D-CO):
Absolutely. Anyone else you've all referred to at one point or another, and I don't know whether that serves a certain amount of irony in some of the comments, but the swiftness of response, would you all agree that swiftness needs to be a goal, something that we should find ways of both within government but also within the business community of accelerating responses and making sure that SWIFT becomes an important factor star, Mr. Parker will go up this way just for a change of direction?
Jake Parker:
Absolutely agree with that.
Prem Trivedi:
Yeah. I think both on cybersecurity incident response side as well as on the pace at which we should move on. Data security and privacy legislation. Swiftness is essential.
Sen. John Hickenlooper (D-CO):
Say that louder when you say that. No, I'm just kidding. We want it to fill the room.
Sam Kaplan:
Senator, swiftness, when responding to a cyber incident is critically important. One of the things that we've seen from Palo Alto Networks is the average incident response time for companies as recently as 2021 was 44 days that it would take companies to address a cyber incident when it occurred, and it was 44 days till they started seeing data exfiltrated from those attackers. We've seen that exfiltration timeline decrease to just days and hours. And if you take that in context with the average time that it takes for a company to respond to a cyber incident and mitigate it is six days. If attackers are starting to exfiltrate data in one day in just a handful of hours, you're losing data. So swiftness is a critical aspect,
Sen. John Hickenlooper (D-CO):
Absolutely. Mr. Lee.
James Lee:
I agree.
Sen. John Hickenlooper (D-CO):
Great, thank you. I might have one more question. First I'm going to turn to Senator Budd.
Sen. Ted Budd (R-NC):
Thank you Mr. Chairman. And again, thank you all for being here today. So much commerce, business work and social interaction now takes place online, as you all know. And there's a large volume of sensitive data that goes into those online interactions. In many ways that data has become the lifeblood of the digital economy, connecting small businesses with customers and improving online services. So I know this firsthand is a small business owner who has run digital advertising campaigns myself. I also know that the majority of businesses take data security extremely seriously, burdening customers with what may feel like arbitrary, excessive, or overly sensitive personal information disclosures. It's a poor way to instill customer trust and protecting against devastating breaches. It's a must. Mr. Parker, you mentioned how important uniform standards and laws are to the Security Industry Association members. Is there an example that you could share where conflicting laws between states have reduced business opportunities for any member of companies?
Jake Parker:
Sure, absolutely. So the prime example of this is the Illinois biometric data privacy law known as BIPA where it was formulated, I think more than 15 years ago when that technology was in its infancy, A lot of misunderstandings about it, but it's certainly because of the way it was structured and the private right of action attached. It's created a sue and settle environment where there's tremendous litigation risk in fielding the technologies, even if they're deemed to be compliant. And so as a result, there's a number of our member companies who do not actually offer their products to customers in ano anymore because of what's happened with that.
Sen. Ted Budd (R-NC):
Any particular products that you can recall?
Jake Parker:
Well, within biometrics there's many different types of products, but just to give you an idea, 88% of the lawsuits under that law have been on regarding biometric time clocks. So basically a way to authenticate your identity for punching in and out of work, no allegations that harm actually occurred to anyone. There was some misstep in the collecting consent and things like that that were found and that was a basis for class action lawsuits and things like that. Even it's not, even though in some products, certainly in the security area cannot even be fielded there under the rules. But in other cases, products like that, some people will just say, forget it, we're not going to even bother.
Sen. Ted Budd (R-NC):
The savings from those systems. I would know firsthand. And they save businesses money, they make them more competitive, allow them to pay employees more, hire more employees. So I see the challenge there. Mr. Parker, can you speak to how uniform national requirements and legal liabilities would improve the ability of your member companies to protect personal data?
Jake Parker:
Yeah, so I mean, I think having a national standard that fully preempts state and local laws and data privacy would definitely save on compliance costs, but it would also be better for the global competitiveness of our companies that can align what they're doing with other parts of the world as well, versus having people track what's going on in each individual states and what products can be offered where under what circumstances. So there's definitely a tremendous advantage of having a national framework and standard.
Sen. Ted Budd (R-NC):
Thank you. You mentioned that the Security Industry Association encourages its members to implement resources like how to counter AI driven cybersecurity threats to physical security products. Just an example, so your members seeing criminals use AI in new ways?
Jake Parker:
Yeah, so one thing we're certainly, I was just talking to some of our cybersecurity experts in the industry about this, but one thing that's emerging is the ability to detect when video has been altered. And so security video is obviously really important what we do and provide to customers, but you want to make sure that that can't be manipulated by bad actors for fraudulent purposes or maybe needed to further some other criminal activity. And so there, there's definitely technology available that is verifying the authenticity of data that's stored and making sure it hasn't been altered. So that's one area.
Sen. Ted Budd (R-NC):
Thank you. Thank the panel. Chairman.
Sen. John Hickenlooper (D-CO):
Thank you Senator. Okay, I'll be quick. I know you guys have been here for a while and a couple of you already commented on this, but I just put in a fair amount of our office, put in a fair amount of work on the American Privacy Rights Act, and you guys affects what we're talking about today. It is about security in addition to privacy. I think all of you have pointed out that there's a connection there that is in Violet. What's your feelings? And we'll go right down the list on a R in terms of if you've got some constructive, something bothers you or constructive criticism that's out with it. But if you think we need to have a sense of urgency, and a couple of people have referred to quantum computing as it comes down the pike, if it doesn't giving us a sense of urgency around these issues, then nothing. Well anyway, it's always you, Mr. Lee.
James Lee:
I do think there should be a sense of urgency just because of, we don't even have to get to quantum. We can just look at artificial intelligence and just the efficiency and the depth and breadth that is bringing to everything from creating malware to phishing attack. We're seeing more and more phishing attacks, which are very basic, that are letter perfect, that fool even professionals. They are so good. Whereas a couple of years ago, everybody kind of go, yeah, yeah, Bank of America isn't spelled with B-A-A-N-K. You can't do that anymore. It is good and it is getting better. You have for the most sophisticated, you've got a deep fake video, you have voice cloning, you have risks that are primarily to businesses, but individuals will be the vehicle to get to the business attack. So there is a sense of urgency. My watch out on the Privacy Rights Act would be beware the law of unintended consequences. As we talked about a little bit with data minimization, we still need data and we need it for some very specific purposes because it's used for anti-fraud, used for identity verification to prevent identity crimes. So in our zeal to protect consumers and give them access, we also have to be realistic that we still need some data.
Sen. John Hickenlooper (D-CO):
Thank you Mr. Kaplan.
Sam Kaplan:
Senator, we're still evaluating APRA. We do think that this current version, there are some beneficial aspects like specifically,
Sen. John Hickenlooper (D-CO):
Wait. So I started this with a sense of urgency. You still evaluate...
Sam Kaplan:
With a sense of urgency and I can hit that. So what we've seen with regard to artificial intelligence for example, is to echo what Mr. Lee said is we have seen threat actors leverage this to create really sophisticated spear phishing attacks. Senator Blackburn brought up quantum quantum threats right now. There is a campaign of harvest now and decrypt later where malign nation states are collecting data, even encrypted data, knowing that this day that is coming where they'll be able to decrypt it. So the urgency is really harden your systems now and secure your systems now and secure your data. Now, one of the beneficial aspects of APRA that we see is those strong permissible purposes for cybersecurity companies. Mr. Lee also talked about the uses of data, both for our cyber defenses but also in the artificial intelligence. And just a quick stat, we leverage AI across our systems and capabilities and we are able to detect 2.3 million unique attacks that weren't there the day before. This is a process of continuous discovery and we're able to leverage our security data and those AI tools to block 11.3 billion attacks per day. And that's just one player, one company in the cyber ecosystem. So the utility of this data I think is proven and that's where of sort the flexibility of something like the permissible purposes in APRA are critical to securing everybody's data.
Sen. John Hickenlooper (D-CO):
Great. Great. Mr. Trivedi?
Prem Trivedi:
Thanks for the question, Senator. I think, and we've said publicly that APRA includes some of the necessary pillars of sound privacy legislation. I won't list all of them, but I think it is germane to today's conversation. Strong data minimization principles, online civil rights protections, privacy rights for users to be able to view correct and opt out and delete their data, stop at sale or transfer. These are essential elements of data protection and consumer protection. And so we're heartened to see this credible proposal reemerge in terms of constructive areas to focus on, I think one of the areas of concern for us has been the scope of FCC preemption in APRA. We've seen with the recent announcement from the FCC finding wireless carriers and the depth of their expertise and ability to act to be a cop on the beat with respect to ISP privacy, internet service provider privacy. I think that's essential. And so we would focus on this issue not to have over broad preemption of the FCC's ability to exercise longstanding expertise in their domain on privacy. Interesting.
Sen. John Hickenlooper (D-CO):
Alright. Thank you Mr. Parker.
Jake Parker:
So just to speak to urgency from a policy perspective versus cybersecurity. Three years ago there was one state that had their data privacy law and now there's 19. So I think there's definitely a window of opportunity to have a federal standard. Many of those states that have acted since then have very similar frameworks, but there is a potential of, they're different enough that a 50 state patch of laws harm the economy. And so it's important to consider acting soon. And that said, we're still looking at the proposal and gathering input for members, but definitely applaud Chair Cantwell and Chair Rodgers for working to get to this place. And I would say that there's significant improvements over what we saw two years ago. One example in particular, we're pleased with the data minimization, permissible use purposes related to cybersecurity and physical security, which we think are very well-defined and well-crafted. But there's some other issues and questions mainly I think that need to be addressed in moving forward. I mentioned earlier how important it's to have strong preemption. We're definitely getting questions from members about what's in the proposal now is adequate enough to be truly the national standard that it's intended to be. So I think that needs a clear answer. And there's a few other more detailed issues in the bill, but we're definitely still looking at it and providing input.
Sen. John Hickenlooper (D-CO):
Okay, we'll keep those cards and letters coming as they say on TV, I guess they used to say on TV Appreciate all those comments about APRA. I think I have a great sense of urgency on it and I think that this is a wonderful time to work on something like data privacy on a bipartisan basis right before big election. But this should not be a partisan issue. And I think we've seen a lot of bipartisan participation so far. But I'm hopeful that the people you all represent will continue to push with a sense of urgency this year to get this done. I think it's doable. I think we're done here for today. But thank you all for your effort. Members can submit additional questions for the record until May 22nd. We thank you in advance for taking the time to and the chance to answer those, provide responses hopefully by June 5th. And with that, I will adjourn.