On Friday of this week, my wife received an email from Target. It was the third in the past month related to the massive security breach that resulted in thieves stealing data from somewhere around 40 million credit and debit cards used at Target stores in the U.S. during a two and a half week period that began around Thanksgiving.
This particular email explained that in addition to those 40 million accounts, up to 70 million Target customers, including my wife, may have had non-payment personal information pilfered whether or not they shopped at Target during this past holiday season.
“I am writing to make you are aware that your name, mailing address, phone number or email address may have been taking during the intrusion,” read the email attributed to Target CEO Gregg Steinhafel. It went on to provide information about how to sign up for free credit monitoring and “identity theft protection insurance where available.”
Target issued a press release announcing this second group of stolen data on January 10. My wife’s email arrived a full week later on January 17. In the interim, it is not far-fetched to imagine a scenario where cyber criminals could have used the stolen email address to send her a so-called “phishing” email designed to look like one from Target with the intent of luring more personal information out of her.
What’s worse: while theft of this type of personal information alone does not necessitate public disclosure according to most state laws, the fact that criminals potentially had this information coupled with our credit card data since we had shopped at a Target during the affected timeframe was enough to cause alarm.
So why such a delay between the initial press release and the email from the company? Was Target following the letter of the law with the timing of this disclosure? How about the initial breach notification? Was that made in the appropriate timeframe?
The truth is: It is almost impossible to know because of the current patchwork nature of data breach disclosure laws in this country, and the lack of one unified one at the federal level.
Forty-six states currently have data breach disclosure laws on the books, but most of them provide vague guidance on how quickly the public needs to be notified and what mediums should be used first for notification. The laws also incorporate varying instructions on what type of stolen information necessitates a customer notification. To make matters worse, different states have different definitions of personally identifiable information, or PII, the term often used as a threshold for mandated public disclosure.
That’s simply not good enough, say payment and financial experts. The nation is in desperate need of federal legislation that sets standardized ground rules. Such a law would likely not prevent such data attacks, but it would give businesses a clear understanding of what kind of breaches require disclosure and over which channels of communications. More importantly, if the legislation included a timeframe in which notification must occur, consumers could better protect themselves after a breach.
“National legislation would reduce compliance complications for merchants with a multi-state presence, but it is also an opportunity to establish clear liability guidelines,” Al Pascual, a senior analyst Javelin Strategy & Research, wrote in an email to Re/code early this week. “Consumers, retailers, and the financial industry all suffer financial costs as a result of breaches that occur at external organizations, but rarely are the breached organizations held to account. It is a grossly unfair situation that needs to be rectified so as to encourage improved data protection practices.”
Senator Patrick Toomey introduced the Data Security and Breach Notification Act of 2013 in June to try to help solve the problem of the state-by-state patchwork rules, but it didn’t get anywhere. Sen. Toomey’s spokeswoman E.R. Anderson was not immediately reachable.
On Wednesday, Senators Tom Carper and Roy Blunt introduced a similar bill, called the Data Security Act of 2014. But it’s way too early to know how Congress will receive it.
“There’s been legislation out there that has not moved so far in previous Congresses,” said Brad Thaler, vice president of legislative affairs at the National Association of Federal Credit Unions. “But because of the widespread impact of this one, there’s now additional pressure on Congress to do something and try to create national standards.”
Target spokeswoman Molly Snyder declined to comment on how a federal law might have altered the speed at which they directly notified individual customers who may have been affected by the breach. But she defended the decision to first disclose the theft of the two data groups via a press release before contacting individual shoppers, saying Target wanted to “get out to as many [customers] as quickly as possible.”
After releasing the press release about the second group of stolen data — the personal information theft — on Friday, the 10th, Snyder said Target started sending out tens of millions of emails the following week.
“We’ve been moving as swiftly as possible to notify guests through a variety of channels,” she said.
“We’re obviously committed to meeting our legal obligation, but that’s not our goal,” she added. “Our No.1 goal is reaching our guests.”