Target, federal agencies set to testify before Senate early Feb

By Chad Hemenway on January 30, 2014

Next week the chief financial officer of retailer Target is set to appear before members of the US Senate during a hearing on data breaches.

John Mulligan, executive vice president and CFO, is scheduled to be a part of a panel that includes Delara Derakhshani, policy counsel for the Consumers Union.

Edith Ramirez, chairwoman of the Federal Trade Commission; William Noonan, deputy special agent in charge of the US Secret Service’s Criminal Investigative Division; and Mythili Rama, acting assistant attorney general with the US Department of Justice’s Criminal Division are slated to be a part of a second panel during the hearing, “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.”

The hearing is with the US Senate Judiciary Committee chaired by Sen. Patrick Leahy (D-Vt.), who in early January reintroduced legislation to install tougher penalties for the concealment of a breach; require companies to protect data privacy and security; and update current law to make harsher criminal penalties for attempted hacking and conspiracy to commit hacking .

The bill, the “Personal Data Privacy and Security Act” is co-sponsored by Senators Al Franken (D-Minn.) and Chuck Schumer (D-NY).

“The recent data breach at Target involving the debit and credit card data of as many as 40 million customers during the Christmas holidays is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation,” Leahy said in a January 8 statement.

The recent breaches did not exactly prompt the legislation. Leahy first authored the bill in 2005 and has reintroduced the bill in each of the last four Congresses.

“Although the Judiciary Committee favorably reported this bill numerous times this legislation has languished on the Senate calendar,” he said.

Since Leahy’s statement, Minneapolis-based Target said an additional 70 million records with other customer information was also part of the hack. Malware was secretly installed on point-of-sale machines, Target said, from late November until mid-December.

High-end retailer Neiman Marcus and arts and crafts retailer Michaels have additionally announced they were victims of cyber attacks.

Neiman Marcus said about 1.1 million customer payment cards may have been visible to malware secretly installed on the retailer’s point-of-sale (POS) terminals from July 16, 2013 to October 20, 2013.

Michaels did not offer details on how it was breached. The retailer also released no estimate of how many customers may have been affected. The store said it is “working closely with federal law enforcement and is conducting an investigation with the help of third-part data security experts to establish the facts.”

According to reports, the malware installed on terminals at Neiman Marcus stores is believed to be the same malware that affected terminals at the nation’s third-largest retailer, Target.

It is not known if the Michaels breach is related to Target and Neiman Marcus. Following Neiman Marcus’ disclosure it was investigating a breach, Reuters reported, citing unnamed sources, that there are “at least three other well-known US retailers” involved.

The FBI has warned retailers to expect and prepare for more cyber attacks, added Reuters. The bureau told retailers crime involving malware on POS systems will grow.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].