On Wednesday, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled, “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches” to examine potential solutions to prevent future data breaches. On the same day, Committee Chairman Senator Jay Rockefeller (D-WV) released a staff report highlighting various events regarding a data breach at a major retailer during the holiday shopping season last year, which he referenced during the hearing.
The Committee weighed in on pending data security and breach notification legislation, including Chairman Rockefeller’s Data Security and Breach Notification Act of 2014 (S. 1976), and other potential regulations and technology solutions to prevent future data breaches in the public and private sectors.
The witnesses testifying at the hearing included:
- Edith Ramirez, Chairwoman, Federal Trade Commission (FTC);
- John Mulligan, Vice President and Chief Executive Financial Officer, Target Corporation;
- Dr. Wallace Loh, President, University of Maryland;
- David Wagner, President, Entrust, Inc.;
- Peter Beshar, Executive Vice President and General Counsel, Marsh and McLennan; and,
- Ellen Richey, Chief Enterprise Risk Officer, Visa Inc.
Chairman Rockefeller began his opening statement by highlighting recent breaches at high profile retailers and the increasing risks of cyber-attacks across the public and private sectors. He shared his disappointment that Congress has not yet passed federal data security and breach notification legislation while he promoted his own legislation, explaining how his bill would expand the authority of the FTC and state Attorneys General to seek civil penalties from companies that fail to comply with the law, ensure that companies develop strong security protocols, and would establish a uniform breach notification standard. He concluded by urging industry to weigh in on federal data security legislation and to compromise on technology solutions that would better protect consumer information.
Ranking Member John Thune (R-SD) expressed his interest in hearing from representatives of entities present at the hearing that recently experienced a breach on what lessons have been learned. He stated that the federal government is also at risk of breaches, highlighting the recent Government Accountability Office report that indicated several federal agencies have failed to implement effective data security policies. He mentioned his sponsorship of Senator Pat Toomey’s (R-PA) Data Security and Breach Notification Act of 2013 and stated that he would work with other senators to move forward federal data security and breach notification legislation. Thune spoke of his optimism about prospects for a federal data security standard, highlighting the development of the National Institute of Standards and Technology Cybersecurity Framework by industry and government.
In her opening statement, Ms. Ramirez reiterated that the need for a robust data security and breach notification law “has never been so important.” She stated that the number one complaint brought by consumers to the FTC is identity theft. She identified three areas where the FTC’s authority should be expanded: 1. civil penalties imposed on companies when warranted; 2. jurisdiction over non-profits, hospitals, and universities; and, 3. Administrative Procedure Act (APA) rulemaking authority. She explained that the FTC does not require “perfect security,” but judges on a “reasonableness” standard, taking into account whether companies have adopted “basic, fundamental safeguards.”
Mr. Loh shared the University of Maryland’s recent experiences with two data breaches. He explained that, on February 18, the University experienced a major breach where over 300,000 individuals had basic information (names and birth dates) stolen from the university’s database. He stated that the university was attacked for the second time three weeks later, but that only one individual’s information was compromised. Loh underscored that the university had implemented robust security protocols, invested significantly in advanced cybersecurity technology, and would have fulfilled the proposed requirements under Chairman Rockefeller’s data security legislation at the time of the attacks.
Mr. Mulligan stated that Target is “deeply sorry” for the impact the breach has had on its guests. In reference to his testimony in prior hearings, he announced that he would like to provide an update on steps Target has taken to protect consumer information. Mulligan explained the additional steps Target has taken, including advancing security systems, employing additional authentication tools, strengthening involvement in information sharing on cyber attacks, and accelerating Target’s adoption of the chip and PIN system. He concluded by expressing his support for a data security and breach notification standard.
Ms. Richey expressed concern about increased data being stolen in transit, noting that it makes payment information more difficult to protect. Richey announced that Visa is working with others in the industry to create a “roadmap” to reduce risk of breaches that would call for adoption of the chip to credit cards, tokenization to better protect data while it is in transit, and encryption of payment information. She added that the federal government can help protect consumer information in the payment industry in three ways: 1. enabling a secure environment for the private and public sector to share cyber threat information; 2. enhancing international partnerships; and, 3. enacting a uniform data security standard.
Mr. Beshar of the professional risk management and insurance brokerage firm Marsh and McLennan discussed steps companies can take to provide additional protections for consumers. He stated that companies should think about investing in cyber insurance, outlining how it can cover out-of-pocket expenses (credit monitoring and call centers), work to recover harm in the form of lost profits, and aid in damage suffered by consumers affected by a breach.
Mr. Wagner illustrated how criminals often steal an identity to obtain access to a network, making detection difficult. He recommended three actions to be taken to further protect consumer information: 1. enactment of a federal data security and breach notification law; 2. fostering of information sharing by the federal government; and, 3. changing the “cybersecurity culture” to make information security a core priority for all entities.
In concluding the hearing, Rockefeller stated that he found the hearing both “interesting” and “frustrating.” He insisted that entities that experience a breach must be held accountable so that victims of a breach can be notified and protect themselves against any damage that may occur. He urged to move forward on federal data security and breach notification legislation in light of recent breaches at major retailers.