WASHINGTON –The federal government should set higher digital security standards for companies collecting consumer information to avoid future data breaches like those at three major national retailers that affected millions of Americans’ data over the last few months, experts told the House Energy and Commerce Committee on Wednesday.
Committee members cited the Target breach, which affected between 70 million and 110 million customers, as particularly troubling. Target, Neiman Marcus and Michael’s all experienced data breaches recently.
“The recent Target breach served as a wake-up call,” said Illinois Attorney General Lisa Madigan, who is working on a multistate investigation into the three recent breaches.
Madigan told the committee her investigations of data breaches show many companies have few, if any, security or encryption measures in place to protect consumers’ information.
Edith Ramirez, chairwoman of the Federal Trade Commission, recommended a “robust federal standard” to ensure companies put in place minimum security measures to protect their customers’ data.
“Companies continue to make very fundamental mistakes,” she said. “They are not taking the reasonable and necessary steps that they need in order to protect the consumers’ information that they collect and use and retain.”
The software used to steal consumer information in the recent breaches was particularly disturbing because it was not an “off-the-shelf type of malware,” but was specifically tailored to carry out the attacks, said William Noonan, a Secret Service deputy special agent in charge of criminal cyber investigations.
Target and Neiman Marcus executives testified that the software used to steal their customers’ data could not have been discovered by the companies’ existing detection software.
Ramirez also said there should be federal notification standards requiring companies to notify their customers of security breaches within a certain timeframe.
Lawrence Zelvin, director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said the volume of information transmitted through online transactions will require a “whole nation effort” to protect because no one government agency or company can do it alone.
“These breaches remind us of how important this issue is, given the amount of personal information being collected from consumers,” Ramirez said.