WASHINGTON – Senate Judiciary Committee Chairman Patrick Leahy said Tuesday that cyber-attacks are a constant threat that won’t go away, and asked leaders of Target and Neiman Marcus to help find solutions to better guard consumers’ online information.
“I think we’re all united in the same thing,” Leahy, D-Vt., said, also welcoming Symantec Corp. and the Consumers Union. “We all want to stop these attacks and we’re always going to have these attacks.”
The Target data breach last year affected payment card data of about 40 million shoppers and personal data of up to 70 million shoppers. It had the potential of putting one in three Americans at risk of broad identity theft, said John J Mulligan, executive vice president and chief financial officer at Target.
Breaches at Neiman Marcus affected 1.1 million. The Secret Service cyber crime investigations team has arrested more than 4,900 suspects associated with $1.37 billion in fraud losses in the last four years.
“Half of the fraud occurs in the United States but only a quarter of the credit card use,” Richard Blumenthal, D-Conn., said. “Something is wrong with this picture.”
Sen. Dianne Feinstein, D-Calif., questioned witnesses on their notification processes during data breach, noting that she found resistance from firms in developing individual notification processes during her efforts to pass data legislation in 2003.
“I worked on the bill and it’s not going to go anywhere because of notice provisions,” Feinstein said. “If someone has an account and their data has been breached, they should be notified. The public notification is really vague and then you find out in other brutal ways if you have money missing.”
Target notified the public during their data breach, but Mulligan did not clarify whether they had also notified individual account holders.
“We thought the public should know,” he said.
Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus, said that Neiman Marcus notified its individual shoppers.
Sen. Michael Lee, R-Utah, questioned whether developing standards could pose new risk in terms of notifying crooks what systems are in place. Kingston conceded “there is inherently going to be some risk.”
Delayed notification may also be appropriate when it comes to law enforcement and catching the criminals, said Edith Ramirez, commissioner of the Federal Trade Commission.
“Balancing is exactly the right word. Companies should notify customers as soon as possible,” Ramirez said. “If there needs to be a delay because of criminal investigations, we think that is also appropriate.”
Ramirez noted the FTC thinks the public should be notified within 60 days of a data breach. She also requested rule-making authority and civil-penalty authority so the FTC could play a regulatory and enforcement role in preventing data breaches.
Flexibility in any legislation is key to addressing a changing environment and evolving threats, said Fran Rosch, senior vice president of security products and services at Symantec Corporation, a cyber security firm.
“It’s not only that the cyber threats are evolving quickly,” Rosch said. “Our environments are changing really quickly. Today info is everywhere. It’s in our data centers, it’s in the cloud. The threats are exploding and so are the attacks.”
The committee discussed implementing EMV technology, a chip-based means of securing payment transactions developed by Europay, MasterCard and Visa, as well as universal use of pins to increase payment security. The companies have set a 2015 deadline to implement this chip technology in their American cards. Europeans already use them.
Mulligan readily said Target would be prepared to meet Visa and MasterCard’s 2015 deadline to implement chip and pin technology, whereas Kingston said Neiman Marcus would look into it. Both acknowledged that implementing chip and pin could be a work-intensive process.
“I think we’re very supportive of those and other technologies but we all need to understand that there is a lot of work involved to do that,” Mulligan said.
Implementing chip and pin would require new cards, new software and new pin pads, which Kingston noted would be very costly.
While Rosch agreed that chip and pin technology is a good start for protection, it is one of many layers of security that need to be addressed. Encryption, he said, could ensure that “bad guys” who do get data find no value in it.
Leahy has reintroduced the Personal Data Privacy and Security Act that he first authored and sponsored in 2005. The bill would create a standard for data breach notification and require businesses to safeguard any stored personal information they have on consumers. Blumenthal has also introduced the Personal Data Protection and Breach Accountability of 2011, which combats data breach risks for consumers and businesses.
“It’s clear that companies need to do a lot more,” Ramirez said.
