Today, I testified about data security breaches before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit. Prompted by a rash of high-profile data breaches, the hearing examined ways to reform current federal and state data security regulations to help close gaps and reduce vulnerabilities. The hearing was also an opportunity to discuss what makes data so important, and steps that can be taken to promote better data stewardship.
Economic growth and job creation are rooted in digital data. The use of data has made businesses more agile, responsive, and competitive, boosting the underlying productivity of companies in every industry.
The public’s embrace of these data-enabled technologies cannot be taken for granted. If customers don’t trust that their data will be kept secure, they will not use the technology. Software companies, including BSA members, have taken important steps to protect privacy and security.
Nevertheless, data breaches continue to steal headlines far too regularly. The frequency of these incidents can be explained, at least in part, by the increasingly sophisticated nature of the threat actors that perpetrate criminal breaches. But experts also indicate that more than 90 percent of breaches could be preventable with basic cyber hygiene. So, consumers are right to ask whether companies are doing enough to protect their data.
Certainly, BSA members offer products and services that can help other enterprises meet the data security challenge. Just as a bank can better protect the individual financial assets of its patrons, BSA members provide cloud services that afford a level of protection for their customers’ digital assets that exceeds what most companies can efficiently provide on their own. However, security is a process, not an end-state, and managing the integrity of data once it is in the cloud remains a shared responsibility. Even a secure cloud computing environment can be breached if basic cyber hygiene isn’t used. Organizations that collect sensitive data need to manage the risks associated with that data throughout its lifecycle.
That’s where Congress can play a role.
In my testimony, I urged Congress to establish a uniform and effective federal standard for data security and data breach notification. Such legislation should accomplish three goals. Most importantly, it should minimize the risk of data breaches by requiring companies to implement reasonable data security practices. Second, it should mitigate the impact of breaches when they do occur by ensuring customers receive timely and meaningful notifications. Finally, it should reduce the complexity of compliance for companies currently grappling with 48 different state notification requirements.
BSA and our members are committed to being part of the solution to data security and we look forward to working with Congress to achieve that.
Thank you to Chairman Blaine Luetkemeyer, Ranking Member Lacy Clay, and the Members of the Subcommittee for inviting me to be part of the discussion. You can read my full testimony here and watch a recording of the hearing here.