Recent breaches, cyber security in D.C. spotlight

A series of Senate hearings this week attempted to shine a light on US cyber security and the rights of consumers.

The US has no federal law addressing either issue but according to various testimonies at the hearings, senators are calling for legislation and the Federal Trade Commission appears the front-runner to gain authority to police businesses—a fight the agency is now waging in court against some businesses.

“The FTC supports federal legislation that would strengthen its existing authority governing data security standards on companies and require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach,” Edith Ramirez, chairwoman of the FTC, told the Senate Judiciary Committee on February 4.

Sen. Elizabeth Warren (D-Mass.) said during a Senate Banking, Housing and Urban Affairs subcommittee hearing on February 3 that Congress “seriously needs to consider whether to strengthen the FTC’s hand.”

“The FTC should have the enforcement authority it needs to protect consumers and it looks to me like it doesn’t have that authority right now,” Warren said.

Ramirez told lawmakers, “Never has the need for legislation been greater. With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act.”

“Legislation in both areas—data security and breach notification—should give the FTC rulemaking authority” as well as “jurisdiction over nonprofits and the ability to seek civil penalties to help deter unlawful conduct,” she added.

The hearings were convened in the wake of massive data breaches at major retailers Target, Neiman Marcus and Michaels as well as breaches at hotel management firm White Lodging.

Sen. Patrick Leahy (D-Vt), chairman of the judiciary committe, said he was “alarmed” at the breaches, adding that the “threat and dangers of data breaches are also not unique to the retail industry.”

He said there have been significant data breaches involving Sony, Epsilon, and Coca-Cola, as well as federal agencies, such as the Departments of Veterans Affairs and Energy.

Big business

In a report prepared for the Senate Judiciary Committee, security software company Symantec called stealing credit and debit card data “big business,” with individual cards selling for up to $100.

Symantec said cybercrime gangs organize sophisticated operations to steal vast amounts of card data before selling it in underground marketplaces. A key finding of the report was that despite improvements in card security technologies and the requirements of the Payment Card Industry Data Security Standard (PCI DSS), there are still gaps in the security of point-of-sale systems like those infiltrated by hackers at Target and Neiman Marcus.

“This, coupled with more general security weaknesses in corporate IT infrastructure, means that retailers find themselves exposed to extremely resourceful and organized cybercrime gangs,” according to Symantec’s report.

Fran Rosch, senior vice president at Symantec, testified that the firm estimates the identities of more than 435 million were exposed in 2013 and over the last three years, the personal information of up to 750 million people “is or could be for sale on the black market to be used for identity theft, credit card fraud and countless other illegal activities.”

Global consumer cybercrime costs $113 billion annually, Rosch said.

Widespread, very challenging problem

Representatives from Target and Neiman Marcus also spoke of the cleverness of cyber criminals.

Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus, said the retailer never had a significant cyber security invasion before last year. Considering the attacks on retailer peers Kingston concluded, “The problem is clearly widespread. And the sophistication of these unprecedented cyber attacks makes the problem very challenging.”

Kingston and Target CFO John Mulligan each outlined multiple layers of preventative and detection programs to stop and or quickly snuff out data breaches. But as Kingston realized, “No system—no matter how sophisticated—is completely immune from cyber attack.”

“Cybercrime has increased dramatically over the last decade, and our financial infrastructure has suffered repeated cyber intrusions,” said Mythili Raman, acting assistant attorney general at the Department of Justice.

Raman said the DOJ “continues to use all of the tools at its disposal to combat cybercrime,” but suggests establishment of a strong, uniform federal standard that would require certain types of businesses to report data breaches and thefts of electronic personally identifiable information.

“Businesses should be required to provide prompt notice to consumers in the wake of a breach,” Raman said. “We should balance the need to safeguard consumers and hold compromised entities accountable, while setting clear standards that avoid undue burdens on industry.”

Such legislation should include a safe harbor for breaches with no reasonable risk of harm or fraud. “This approach would protect the privacy of individuals while holding firms accountable for failure to safeguard personal data,” he said.

Dianne Feinstein (D-Calif.) noted she is a Neiman Marcus shopper but was never told of the breach. Kingston responded by saying said Neiman Marcus notified online and in-store customers Jan. 22.

Feinstein said retailers should be required to provide more prompt customer notification. “The public notification is always vague, it is non-specific,” she said. “Then the customer finds out in other ways, sometimes brutal ways,” that their personal data have been stolen.

Payment card technology

Target’s Mulligan said the cyber attack at Target “has only strengthened our resolve.” He said Target is spending $100 million to expedite transition chip technology in Target REDcards and its stores’ point-of-sale terminals—an upgrade from standard magnetic strips on the back on credit and debit cards.

“We believe that chip-enabled technologies are critical to providing enhanced protection for consumers,” he said, while adding that updating card technology “is a shared responsibility and requires a collective and coordinated response.”

James Reuter, executive vice president of FirstBank in Lakewood, Colo., testified on behalf of the American Bankers Association at the Senate subcommittee hearing.

“Notwithstanding these recent breaches, our payment system remains strong and functional,” he said. “No security breach seems to stop the $3 trillion that Americans spend safely and securely each year with their credit and debit cards.”

The ABA encourages the implementation of chip technology. Reuter said some are already using this technology, with “the next set of deadlines for banks and retailers coming in late 2015.”

But, he warned, there “is no panacea for the ever-changing threats that exist today.”

Reuter said the ABA strongly supports the Data Security Act, a national standard for data security and breach notification. The bill is sponsored by Sen. Thomas Carper (D-Del.).

Sen. Leahy in early January reintroduced legislation, the Personal Data Privacy and Security Act, to install tougher penalties for the concealment of a breach; require companies to protect data privacy and security; and update current law to make harsher criminal penalties for attempted hacking and conspiracy to commit hacking.

The bill is co-sponsored by Senators Al Franken (D-Minn.) and Chuck Schumer (D-NY).

About Arthur D. Postal

Arthur D. Postal has covered federal insurance regulation and Washington D.C. for many years and has more than 30 years of financial-journalism experience. He most recently was employed by National Underwriter, writing for P&C and life and health publications as well as PropertyCasualty360.com.