Recent high-profile data breaches at two major retail outlets have reignited efforts by the Obama administration and its allies in the Senate to introduce and pass a federal data security and breach notification law.
Federal Trade Commissioner Edith Ramirez and Acting Assistant Attorney General Mythili Raman on Tuesday told a Senate Judiciary Committee hearing that legislation is urgently needed to better protect consumers from data breaches and identity fraud.
“Businesses should be required to provide prompt notice to consumers in the wake of a breach,” Raman said. “American consumers should know when they are at risk of identify theft or other harms because of a data security breach.”
“Never has the need for legislation been greater,” Ramirez said.
Senior executives from Target Corp. and The Neiman Marcus Group testified at the hearing about the recent massive data breaches at their retail outlets that exposed financial and personal data of tens of millions of customers.
John J. Mulligan, executive vice president and chief financial officer of Target, said the attack that compromised payment card data belonging to 40 million Target customers and personal identity information on up to 70 million customers involved highly sophisticated malware that captured data from customer’s cards as they swiped them at payment terminals. The data was stripped from the cards before it could be encrypted on Target’s back-end systems.
The attack at Neiman Marcus also involved sophisticated malware that targeted the retailer’s payment card systems. According to Michael R. Kingston, senior vice president and chief information officer for The Neiman Marcus Group, the breach took place between July and December 2013 at 77 of the company’s stores, and may have compromised as many as 1.1 million accounts.
“The malware that penetrated our system was exceedingly sophisticated,” Kingston said. “The malware was evidently able to capture payment card data in real time, right after a card was swiped, and had sophisticated features that made it particularly difficult to detect.” Some of those features “were specifically customized” to evade Neiman Marcus’ multilayer security architecture, Kingston added.
But it was the response to the breaches by Target and Neiman Marcus that now has many lawmakers pushing for new data breach notification laws. Although the payment card industry is gradually moving away from cards that use a magnetic strip and toward new “smart cards” that use embedded microprocessor chips and PIN technologies, many senators raised concerns about the lack of minimum security and reporting standards.
Sen. Diane Feinstein, D-Calif., one of the sponsors of a failed effort in 2003 to introduce data breach notification laws, said she has shopped at Neiman Marcus and does not recall receiving any notification from the retailer that her data may have been compromised.
According to Kingston, Neiman Marcus executives were not aware of the attack until Jan. 2 — six months after the malware was installed — and it took until Jan. 6 before security experts could determine information had been stolen and the extent of the breach.
“Then, disabling it to ensure it was still not operating took until Jan. 10,” Kingston said. That’s when Neiman Marcus sent out its first notifications to customers and issued a public announcement.
Kingston said Neiman Marcus completed notifications of all customers who shopped in one of the company’s 85 retail outlets or online — nearly 1.1 million people — Jan. 22.
Target, however, only had contact information for a limited number of customers, Mulligan said. And given the size and scope of the breach, the company opted to leverage what Mulligan described as “broad public disclosure” through the news media, social media and its website.
That wasn’t enough for several lawmakers, who argued that all consumers should be notified whenever their personal data has been compromised.
“I had a bill and it was [about] notification and it was fiercely fought,” Feinstein said. “Companies did not want to notify their customers. So, here we are sort of again with respect to notices. I believe that if somebody has an account or uses their credit at your institution and their data is breached, they should be notified.”
Feinstein said any future bill introduced by the committee should include customer notification provisions.
Committee Chairman Sen. Patrick Leahy, D-Vt., and Sen. Richard Blumenthal, D-Conn., both have introduced separate data breach bills requiring companies to meet certain baseline security standards and notify customers if their data has been compromised.
“There will be, in effect, a bar that everybody has to follow — a standard of care … industrywide,” Blumenthal said. The Blumenthal bill would also provide the Federal Trade Commission with new enforcement powers.
“The federal government has a role to play,” said Sen. Al Franken, D-Minn. “Congress needs to pass laws that promote data security. Right now, there’s no federal law setting out clear security standards at merchants and data brokers. And there’s no federal law requiring companies to tell their customers when their data has been stolen.”
