Senators Launch Probe of Massive Data Breaches

Lawmakers agree that further legislative protections are needed to prevent the kind of breaches that brought Target and Neiman Marcus to their knees.

A Target store is seen on December 19, 2013 in Miami, Florida. Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.
National Journal
Add to Briefcase
Dustin Volz
Feb. 4, 2014, midnight

Sev­er­al sen­at­ors re­peated calls for le­gis­la­tion to ward off massive data thefts dur­ing a hear­ing Monday to re­view the vul­ner­ab­il­ity of the na­tion’s di­git­al-pay­ment sys­tems, the first in a trio of ses­sions this week ex­amin­ing the enorm­ous breaches sus­tained re­cently at re­tail­ers around the coun­try.

Sen. Eliza­beth War­ren de­clared that Con­gress needed to ad­opt tight­er data-se­cur­ity pro­tec­tions and height­en the Fed­er­al Trade Com­mis­sion’s au­thor­ity to po­lice busi­nesses fail­ing to ad­equately pro­tect con­sumer data.

“The FTC should have the en­force­ment au­thor­ity it needs to pro­tect con­sumers and it looks to me like it doesn’t have that au­thor­ity right now,” War­ren, a Mas­sachu­setts Demo­crat, said dur­ing a Sen­ate Bank­ing sub­com­mit­tee hear­ing. “Data-se­cur­ity prob­lems aren’t go­ing to go away on their own, so Con­gress ser­i­ously needs to con­sider wheth­er to strengthen the FTC’s hand.”

The FTC has the au­thor­ity to pun­ish “un­fair” busi­ness prac­tices, a stand­ard that con­tin­ues to re­main leg­ally murky. While the FTC has used the stand­ard to go after some com­pan­ies that have failed to en­sure ad­equate data-se­cur­ity stand­ards, pending leg­al chal­lenges levied by Wyndham Hotel and Lab­MD seek to chal­lenge the au­thor­ity.

“You’re de­scrib­ing a fairly de­mand­ing stand­ard, since as you say, it’s more than breach, more than the fact that people have been in­jured, more than the fact that a com­pany had very lax stand­ards,” War­ren told Jes­sica Rich, dir­ect­or of the FTC’s Bur­eau of Con­sumer Pro­tec­tion, dur­ing the hear­ing. “This is a real prob­lem, that the FTC’s en­force­ment au­thor­ity in this area is so lim­ited.”

Rich largely agreed with War­ren’s ad­mon­i­tions, not­ing that “that’s one of the reas­ons we’re sup­port­ing gen­er­al data-se­cur­ity le­gis­la­tion.”

Sub­com­mit­tee Chair­man Mark Warner, a Vir­gin­ia Demo­crat, re­peatedly called for quick ac­tion to up­grade se­cur­ity fea­tures on plastic card pay­ment meth­ods as a stop­gap meas­ure to pre­vent fur­ther data breaches from oc­cur­ring. He hammered home his con­vic­tion that deb­it and cred­it cards need to have the same stand­ards of data pro­tec­tion. Cur­rently, cred­it cards typ­ic­ally af­ford more pro­tec­tion.

“It would seem to me that equal­iz­ing cards on the same stand­ard makes a lot of sense,” Warner said. He then asked the second pan­el to “give me a reas­on why” the two plastic forms of pay­ment shouldn’t be aligned in their pro­tect­ive meas­ures. All wit­nesses agreed.

But Warner also cau­tioned that up­graded tech­no­logy — so-called chip and PIN pro­tec­tions — could only serve as an in­ter­im solu­tion and would only be par­tially ef­fect­ive for on­line shop­ping.

Sen­at­ors and wit­nesses alike agreed that more needed to be done to se­cure cus­tom­er data to pre­vent more wide-scale breaches, both at re­tail stores and in on­line shop­ping.

“Our card-pay­ment sys­tem is out­dated and prone to at­tack,” noted James Re­u­ter, ex­ec­ut­ive vice pres­id­ent of First­Bank. “The fraud­sters rely on our sys­tems be­ing so por­ous.”

Some steps, like en­sur­ing people use more-com­plex pass­words, are re­l­at­ively easy mat­ters of cus­tom­er edu­ca­tion.

But more-com­plic­ated chal­lenges, such as var­ied state re­port­ing re­quire­ments when a data breach oc­curs, serve to un­der­cut con­sumer pro­tec­tions. Con­gress is con­sid­er­ing le­gis­la­tion that would cre­ate one fed­er­al re­port­ing stand­ard. Sep­ar­ately, Rank­ing Mem­ber Mark Kirk, an Illinois Re­pub­lic­an, said he planned to in­tro­duce le­gis­la­tion that would man­date a 25-year pris­on sen­tence for those found guilty of vi­ol­at­ing fed­er­al data-theft law.

The Sen­ate sub­com­mit­tee meet­ing is the first of three Con­gress is hold­ing this week to ex­am­ine con­sumer data vul­ner­ab­il­it­ies in the wake of co­lossal breaches at na­tion­al re­tail chains. Ex­ec­ut­ives from Tar­get and Nei­man Mar­cus will testi­fy be­fore the Sen­ate Ju­di­ciary Com­mit­tee on Tues­day, and will do so again Wed­nes­day in front of a House En­ergy and Com­merce sub­com­mit­tee.

Tar­get’s breach was the first in an ava­lanche of data thefts to come to light in re­cent months, a heist that stole the names, ad­dresses, phone num­bers, and cred­it-card in­form­a­tion of as many as 110 mil­lion cus­tom­ers.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.