July 28, 2005
Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Michael Hintze, and I am a Senior Attorney at Microsoft Corporation. I want to thank you for the opportunity to share with the Subcommittee our views on data security legislation. In light of the number of recent serious security breaches, the increasing concern nationwide over identity theft, and the ever-rising but often inconsistent number of state laws imposing security and customer notification requirements, Microsoft firmly believes that now is an appropriate time for Congress to adopt federal data security legislation.
Microsoft applauds Congress and the members of this Subcommittee for their attention to data security and identity theft issues. As the Federal Trade Commission has reported, in 2003 alone, roughly 10 million Americans suffered from identity theft, costing businesses $47.6 billion and consumers almost $5 billion. As a leading provider of software and online services, Microsoft is particularly concerned that identity theft threatens to erode trust on the Internet, and we are deeply committed to working with you, law enforcement, and others in the industry to maximize deterrence and minimize the opportunities for identity thieves.
Today, I want to address the focus of this hearing – data security legislation. Microsoft generally supports the draft legislation before this Subcommittee, dated June 30, 2005 (the “Discussion Draft”), that would require companies both to adopt an information security program and to notify consumers in the case of a security breach. This legislative approach would be an effective complement to Microsoft’s own multi-faceted strategy for protecting individuals’ personal information, which includes developing and implementing technological solutions, educating consumers about ways to protect themselves while online, meeting or exceeding industry best practices on privacy and security, and enforcing existing laws. My testimony today highlights some of the key issues raised by federal data security legislation and by the Discussion Draft in particular, and recommends ways to proceed toward the goal of creating a trusted environment for Internet users.
Businesses Should Be Required to Adopt an Information Security Program.
Microsoft supports legislation that would require companies engaged in interstate commerce to adopt an information security program. But in order to be effective, while avoiding unnecessary burdens on responsible businesses, such legislative requirements should be both broadly applicable and sufficiently flexible to meet the security challenges across a wide variety of business environments and scenarios.
(1) Federal Legislation Should Enable Companies to Implement Security Measures Best Suited for Their Environments.
First, any such legislative requirement should recognize that security is an ongoing process, that the threats to data security are constantly changing, and that the degree and type of risk can vary from one situation to another. An appropriate and effective information security program will depend on a number of factors, including, but not limited to, an entity’s size, the nature of its business, the amount and type of information it collects, and the number of employees that it has. In short, federal legislation must provide flexibility to enable companies to adopt security policies and procedures that are responsive to their risk level.
With this in mind, the framework for an information security program set forth in the Gramm-Leach-Bliley Act (“GLB”) is preferable to that outlined in section 2(a) of the Discussion Draft. In GLB, Congress directed the relevant agencies to provide for the establishment of “appropriate … administrative, technical, and physical safeguards –
to insure the security and confidentiality of customer records and information;
to protect against any anticipated threats or hazards to the security or integrity of such records; and
to protect against unauthorized access to or use of such records or information which would result in substantial harm or inconvenience to any customer.”
In response to this directive, the FTC implemented regulations that require the development of information security programs “appropriate to the [subject entity’s] size and complexity, nature and scope of … activities, and sensitivity of the customer information at issue.”
Microsoft believes a flexible framework such as that established by GLB and the FTC’s implementing regulations makes sense. It gives individual organizations –– which are in the best position to understand the particular security measures that are best suited to the different types and forms of personal information they maintain –– the discretion to implement the most appropriate technologies and procedures for their respective environments. In contrast, a set of federally-mandated technical specifications would inevitably impose too high of a burden on some organizations for some information, but not adequately protect some personal information held by other organizations. And, because security measures are constantly changing and improving as technology advances and engineers respond to evolving threats to information security, a one-size-fits-all regime would likely and rapidly become obsolete.
For these reasons, Microsoft urges the Subcommittee to replace its current section 2(a) with language modeled on the framework set forth in GLB and the FTC’s implementing regulations. In addition, in light of the importance of ensuring that implementing regulations give companies the discretion to adopt programs that best suit their respective needs, Microsoft encourages Congress to direct the FTC to allow entities to develop information security programs consistent with the following: (1) the entities’ size and complexity, (2) the nature and scope of their activities, (3) the sensitivity of the personal information at issue, (4) the current state of the art in administrative, technical, and physical safeguards for protecting information, and (5) the cost of implementing such safeguards. Microsoft believes such a flexible approach is the best way to protect individuals’ personal information now and into the future.
(2) Federal Security Requirements Should Apply to All Personal Information.
If federal data security legislation includes sufficient flexibility to enable companies to develop security practices and procedures that are tailored to the situation based on these factors, Microsoft believes that federal information security requirements should apply to all personal information housed by an organization in any form, whether electronic or paper. There is no reason to limit the requirements to protect personal information to its electronic form: The consequences of a loss or misuse of personal information in paper form can be just as serious and devastating to the affected individuals as a loss of that same data in electronic form. Likewise, the federal security requirements should not be limited only to sensitive information that, if exposed, could lead to identity theft. Although a breach of non-sensitive personal information may not expose individuals to identity theft, it can have other negative consequences. Again, as long as the federal legislation avoids mandating a one-size-fits-all approach to this data and instead provides flexibility, the security requirements can reasonably be applied to all personal information. The creation of such a single, flexible framework for all personal information will create broader protection for consumers as well as increase efficiency for businesses that otherwise could be faced with having to comply with additional and inconsistent security requirements imposed by other state or federal laws.
With this background in mind, Microsoft respectfully suggests that the Subcommittee reconsider the approach taken in section 2(a) of the Discussion Draft. This section appropriately directs the Federal Trade Commission to adopt implementing regulations governing information security programs, but only with respect to a narrow class of sensitive personal information and only with respect to any such information maintained in electronic form. For the reasons stated above, Microsoft urges Congress to expand the scope of this provision.
(3) Providing Flexibility in the Information Security Requirement is Essential to Avoid Unnecessary Burdens on Small Businesses and Those That Handle Minimal Amounts of Personal Information.
Finally, we note that a flexible approach to security, such as the one outlined above, also is essential to alleviate the potential burden that a national information security requirement could impose on small businesses. However, if the Committee believes that the potential costs of a national information security requirement necessitates some sort of small business exemption even with the flexible approach that we recommend, Microsoft believes that such an exemption should be triggered by the number of individuals whose personal information an entity handles and not by the size of the business. For example, given the costs of compliance relative to the risks of exposure, it might make sense to exempt from at least section 2(a) an entity that collects, stores, uses or discloses personal information from fewer than 5,000 individuals in any twelve (12) month period.
Businesses Should Be Required To Notify Consumers When There Is A Material Risk of Harm.
Microsoft recognizes that notifying individuals of security breaches can be an effective element in the effort to reduce the costs and other harms associated with identity theft. But we believe that for a notification requirement to provide effective warning to consumers, and to be reasonable and fair for all business entities engaged in interstate commerce, it must be triggered only when there is a material risk of harm to an individual. As recent reports have indicated, an overly broad notification requirement could have negative effects. For example, consumers may begin to receive so many notices that they become accustomed to such notices and/or become unable to differentiate between those breaches that represent a serious risk and those that do not. One likely result is that some consumers will do nothing in response; as a result, the costs of the notice will be incurred in vain, and consumers will continue to bear the risk of any resulting identity theft. Other consumers may err on the side of over-reaction, responding to even harmless breaches by imposing credit freezes, fraud alerts or changing or closing accounts –– all of which impose significant and unnecessary costs. For these reasons, Congress should proceed carefully when articulating the standard that triggers notification. We believe that the best standard is one that incorporates a materiality threshold like the federal banking regulators have applied in the Interagency Guidance on GLB — namely, notification is required when there is a reasonable possibility of misuse.
(1) Notification Obligations Should Be Triggered When Misuse Is Reasonably Possible.
Microsoft believes that the Interagency Guidance on GLB provides a workable framework for a national notification standard. That guidance focuses on whether, as a result of unauthorized access, “misuse of … information … has occurred or is reasonably possible.” Although the Discussion Draft contains a relatively flexible standard, we have some concern that the “may result in identify theft” formulation is vague, and in any event, that the formulation would establish a slightly different standard than GLB has been interpreted to apply to financial institutions. This Interagency standard provides clear guidance to industry and consumers: it appropriately requires an organization to investigate the circumstances of any unauthorized access, and to analyze the risks posed to affected individuals before any notification is required. Microsoft believes it is critical to make companies responsible for determining the details of an unauthorized access to sensitive financial information and the level of threat resulting from the specific circumstances. If an investigation concludes that misuse of a consumer’s information has occurred or is reasonably possible in light of the facts surrounding the security breach and the exposure of the information, then notification must be provided. Thus, this standard ensures that only those consumers who are reasonably at risk receive notification, and in so doing, it mitigates against both the risk of over-notification and the risk of consumer over- and under-reaction.
(2) Notification Obligations Should Cover Only Unencrypted Sensitive Personal Information.
The purpose of notifying an individual of a security breach is to enable that person to prevent two potential types of identity theft: (1) the misuse of his or her existing credit card or other account, and (2) the fraud that is perpetrated when a thief opens a new account in his or her name. The scope of any notification obligation should be limited to the class of personal information that could lead to such misuse. This information should include Social Security numbers, and it should include credit card information associated with other information that could enable someone to access an account or make a credit card purchase. This information should not include basic personal information –– such as name, address or telephone number –– that alone or in combination with one another presents virtually no increased risk of identity theft.
The Discussion Draft applies its notification requirements to a narrow class of personal information, which is appropriate. To clarify that this information is particularly sensitive, Microsoft recommends that the Discussion Draft rename this class of information “sensitive financial information.” It should then include a broader definition of “personal information” to which the obligations set forth in section 2(a), as described above, apply.
However, within this class of so-called “sensitive financial information,” Microsoft believes that encrypted information should be excluded. Data encrypted using standard methods is either impossible or impracticable to decipher. Therefore, there is no reasonable possibility of its misuse if it is accessed without authorization. In addition, by specifically exempting such encrypted information from the standard for notification, Congress will be creating an explicit incentive for companies to adopt encryption technology, thereby reducing the risk of a security breach in the first instance. If Congress has concerns that a general encryption exception is too vague and could be abused, Microsoft would support allowing the exception to apply only to certain levels of encryption –– e.g., the encryption level set forth in the Federal Information Processing Standards issued by the National Institute of Standards and Technology –– or more generally to encryption adopted by an established standard setting body combined with an appropriate key management mechanism to protect the confidentiality and integrity of associated cryptographic keys in storage or in transit.
(3) Notification Obligations Should Capture Data Maintained In Any Form.
Microsoft believes that the public policy interest in protecting sensitive financial information against malicious use by third parties extends to all forms of data, regardless of whether it is housed in electronic or paper form. For this reason, we believe the notification requirements set forth in section 3 of the Discussion Draft (like the general security obligations set forth in section 2(a)) should not be limited to electronic or computerized data. This is the approach followed in the Interagency Guidance on GLB.
Although expanding the requirement beyond data in electronic form would potentially heighten the compliance costs associated with this federal legislation, the public policy supports such an expansion. Identity theft can be committed using information obtained offline and in a form other than just computerized data. Simply put, an identity thief can defraud a consumer using sensitive personal information maintained in paper form just as easily as the thief can using computerized data. To adequately protect consumers, the notification requirements of the legislation should therefore apply to all sensitive financial information –– regardless of the form in which the information is maintained.
Congress Should Give Companies Discretion To Determine the Most Appropriate and Effective Method For Notification.
Microsoft believes that for a nationwide notification requirement to be administratively workable, business entities subject to the requirement should have flexibility in how notice is provided. This is because the appropriate method for notice will turn on the size and type of the entity providing the notice, the number of people required to receive notice, the methods by which the entity typically communicates with its customers or other individuals, and the relative costs for different methods of providing notice. For these reasons, the Interagency Guidance on GLB provides discretion to covered entities to provide notice “in any manner designed to ensure that a customer can reasonably be expected to receive [the notice.]”
Microsoft urges Congress to follow the model of the Interagency Guidance by giving companies discretion to issue notice in various ways, so long as the notice is reasonably expected to reach the affected individuals. The Discussion Draft, which would obligate an entity to provide notice to an individual in writing and by e-mail and through the entity’s website, is too restrictive, and there is a real risk that it could lead to less effective notifications and/or be too costly for many entities to implement. Rather, federal legislation should enable entities to provide notice via telephone, regular mail, or electronic mail, depending on the circumstance. Indeed, many individuals who have received notices of security breaches report that they appreciate getting them by telephone, which personalizes the process, makes the notice less intimidating, and provides an immediate forum for the individual to ask questions. While telephone notice may not be feasible in cases requiring mass notification, it is an option that should be permissible consistent with the interpretation of GLB.
Microsoft also believes that entities should be required to try to reach individuals directly, unless certain cost or quantity thresholds are present or there is no known number, mailing address, or electronic mail address for an individual. Accordingly, Microsoft would propose using mass media notice and Internet postings only in exceptional circumstances requiring substitute notice.
Congress Should Consider Internal and Law Enforcement Investigations When Analyzing the Appropriate Timeliness of Notification.
Microsoft is pleased that the Discussion Draft accounts for the immediate obligations of a company in the aftermath of a breach by allowing reasonable time for a company to determine the scope of the breach and to restore any compromised systems before issuing notice of the breach. Microsoft also believes, however, that federal legislation should account for the needs of law enforcement in investigating the breach. It is often the case that immediate notification to the public can interfere with a criminal investigation of the underlying incident. If, for example, law enforcement officials are in the process of identifying or apprehending potential suspects, a public announcement may cause the suspects to flee, destroy evidence, or otherwise obstruct these efforts to bring the perpetrators to justice. The existing GLB guidelines regulating financial institutions, as well as most state breach notification laws, have accounted for these concerns by allowing for delayed notification, consistent with the legitimate needs of law enforcement.
The risk of any abuse with this delay in notification is easily addressed by vesting the authority for any such determination in law enforcement, rather than the company itself. As the Interagency Guidance on GLB provides, “notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.” By accounting for these contingencies in imposing a notification requirement, Congress can balance the interests of consumers, the legitimate needs of law enforcement, and the immediate responsibilities of companies suffering data security breaches.
Strong Federal Preemption Is Warranted.
Microsoft believes that for federal legislation to be meaningful in this area, it must address the problem of state laws imposing potentially inconsistent security and notification requirements. In other words, we strongly feel that federal legislation requiring entities to implement an information security program and to notify individuals of security breaches must “occupy the field.” As we have seen with the rash of major security breaches over the past several months, information security is a national problem that affects all Americans. Federal legislation that preempts inconsistent state laws is therefore crucial to protect consumers while allowing responsible businesses to operate without unnecessary burdens.
Over the past several months, more than a dozen states have enacted breach notification laws, with a few of these states also requiring entities to adopt security procedures. Although these statutes generally have been patterned after the California law, which pioneered breach-related legislation, the statutes are not uniform, and their differences can be striking. For one, the statutes sometimes differ on the very definition of “personal information,” with some states broadly covering any account information, some requiring a name coupled with other identifying information, and some including a Social Security number alone. Similarly, the statutes differ in their jurisdictional scope, with most applying to entities conducting business within the state, but others applying to anyone who possesses information about residents of the state. The statutes are also inconsistent as to when notification is required, with some states providing an exception when the breach is reasonably believed to be harmless. In addition to these disparities, provisions regarding notification period, notification method, and available remedies often vary from state to state.
Although some have argued that the federal provision should create a “floor,” above which states are free to impose additional requirements, this would not solve the problem caused by the existing patchwork of state regulation. In such an environment, any company that participates broadly in the national economy must either abide by the strictest applicable standard, or otherwise take measures to compartmentalize its transactions on a state-by-state basis. Under the former approach, any federal legislation would be rendered meaningless absent preemption. And given the realities of today’s virtual economy, the latter option is largely impracticable; or, for those companies that tried to comply with requirements on a state-by-state basis, it would potentially cause a harmful distraction from what is important –– protecting the security of consumers’ personal information and promptly notifying any affected consumers in the event of a security breach that is reasonably possible to lead to the misuse of unencrypted sensitive financial information. Therefore, the only realistic solution that protects consumers while minimizing the operational burdens in responsible businesses is to adopt a nationwide standard for security and notification. That standard should certainly be robust, but, once adopted, should apply uniformly. Hence, any federal legislation on this topic should specifically preempt state security and notification laws.
The Discussion Draft includes an appropriate preemption provision. That said, Microsoft supports adding language to the preemption provision to make clear that only State Attorneys General can bring a civil action under state law that is premised on a violation of the federal legislation. At the same time, we recognize that State Attorneys General can play a vital role in ensuring that companies adhere to sound information security practices. Accordingly, Microsoft also supports any clarification that enables State AGs to directly enforce the provisions of the legislation and also ensures they can continue to rely on their enforcement authority under state consumer protection laws.
Congress Should Consider Additional Provisions In Data Security Legislation.
Requiring entities to implement security procedures that apply to personal information and to notify individuals of security breaches, where the misuse of unencrypted sensitive financial information is reasonably possible, makes sense. But these approaches do not fully address a key concern raised in response to recent security breaches — a lack of transparency as to how companies are using and disclosing personal information in the first place. Individuals want to understand better the entities that maintain their personal information, the types of information they maintain, how they use that information, and the third parties with whom they share such information. For this reason, in addition to supporting reasonable security precautions and notification requirements, Microsoft looks forward to working with the Subcommittee on appropriate legislation that addresses these broader concerns. Microsoft believes that adopting a tailored but more complete approach to data security legislation at the federal level will better inform consumers about who is using their personal information and how, and thereby empower consumers to exercise meaningful control over their personal information both before and after any security breach occurs. In addition, a national standard will give consumers and organizations that are facing a patchwork of privacy and data security requirements at the state level clarity about the standards for collecting, using, disclosing, and storing personal information.
We commend the Subcommittee for holding this hearing today and appreciate your determination to seek strong legislation to help curb identity theft. Thank you for extending us an invitation to share our recommendations on the Discussion Draft, and we look forward to working with you on additional means to help inform and empower consumers both before and after a security breach occurs. Microsoft is committed to creating a trusted environment for Internet users, and looks forward to working with you toward this common goal.
i Federal Trade Commission ― Identity Theft Survey Report 7 (Sept. 2003), available at http://www.consumer.gov/idtheft/stats.html [hereinafter “Identity Theft Survey Report”].
ii 15 U.S.C. § 6801(b).
iii 16 C.F.R. § 314.3.
iv We also note that as currently drafted, the Discussion Draft could create different regimes for entities that are subject both to GLB and to the reach of new data security legislation. That said, excluding entities covered under GLB from new data security legislation, and then adopting a different standard for other entities, would subject companies that house the exact same information to different regulatory frameworks — e.g., a retailer would be subject to a different information security framework than a bank. For this reason, we support creating uniformity to facilitate both the development of best practices and the development of service-related expertise — such as that provided by auditors — in the area of information security.
v This testimony focuses on subsection (a) of Section 2. With respect to subsection (b) — which applies special requirements to information brokers — Microsoft has only two brief observations. First, the definition of “information broker” requires a slight revision to make clear that it applies strictly to those entities whose primary business is selling consumer data. Second, while Microsoft generally supports giving individuals access to personal information collected about them, we think that certain reasonable exceptions must accompany such a legislative requirement for it to make sense. For example, access should not be required where the individual requesting access cannot reasonably verify his name or identity as the person to whom the personal information relates; the rights of other persons would be violated; the burden of providing access would be disproportionate to the risk of harm to the individual; revealing the information would compromise proprietary or confidential information, technology, or business processes; or revealing the information would be unlawful or affect litigation or a judicial proceeding in which the business or individual has an interest.
vi By “sensitive information” we mean the kinds of data that is included in the Discussion Draft’s definition of “personal information.” Although we advocate for a broader scope for security requirements, as we note later, this narrower definition remains relevant for the purposes defining the scope of information that should trigger a notification obligation.
vii For example, if a number of e-mail addresses wind up in the wrong hands, those individual recipients could be deluged with unwanted spam that renders their e-mail account virtually unusable – or even subjects them to harmful phishing scams that trick them into disclosing sensitive financial information to would-be identity thieves. The exposure of other non-sensitive personal information can have similarly invasive consequences on an individual’s privacy.
viii It is worth noting that the FTC Consent Orders on security have required businesses to implement security programs for all personal information, not just sensitive personal information.
ix See, e.g., Henry Fountain, “Worry. But Don’t Stress Out,” Wall Street Journal, June 26, 2005, Section 4, p.1.
x See Thomas M. Lenard & Paul H. Rubin, “An Economic Analysis of Notification Requirements for Data Security Breaches,” The Progress & Freedom Foundation 10-11 (July 2005).
xi Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736, 15752 (Mar. 29, 2005) (emphasis added) [hereinafter “Interagency Guidance”].
xii See Identity Theft Survey Report, supra note 1, at 4.
xiii We think that, if Congress explicitly exempted encrypted information from the notification requirement, there would be little risk of abuse — after all, as a general matter, it is just as easy to use readily available good encryption technology as it is to use readily available weak encryption technology, so there would be little incentive to use a lower standard.
xiv Interagency Guidance, supra note 11, at 15753.
xv Larry Ponemon, “Opinion: After a Privacy Breach, How Should You Break the News,” Computerworld, July 5, 2005.
xvi Interagency Guidance, supra note 11, at 15752.