Brandon Bourdages / Shutterstock
Lawmakers grilled top executives from Target Corp. and Neiman Marcus on Tuesday about recent data breaches that exposed financial and personal details of upward of a third of the U.S. population at a hearing about possible legislation to help prevent future data thefts.
“I know I never have had a time when my wife and I were so assiduous about checking our credit card bills,” said Senate Judiciary Committee Chairman Patrick Leahy (D., Vt.) at the hearing, adding that there’s bipartisan interest in passing legislation this year.
Target CFO John Mulligan told lawmakers that the retailer was “deeply sorry” and acknowledged that the company’s December breach — which exposed about 40 million credit and debit card records and 70 million other records, including telephone numbers and addresses — had “shaken [consumers’] confidence in Target.”
Neither retailer offered many new details about their data thefts, although Target said its breach lasted a few days longer than previously reported after the company found malware installed in a few dozen more stores. Both Target and Neiman Marcus submitted testimony (here and here) which provided a clearer timeline of how the breaches went down and when they were discovered.
The Senate Judiciary hearing Tuesday was one of a series being held on Capitol Hill this week as lawmakers struggle to reach agreement on new cyber-security legislation to help prevent such attacks and provide better, more timely notification to consumers in the event of a breach. Congress has tried to pass a new federal data security law before, but the effort stalled as banks, retailers and credit card companies squabbled over details like who pays for breaches and when consumers should be notified.
Lawmakers have already dusted off at least three legislative proposals to enact new federal data security rules, which would give the Federal Trade Commission or other federal law enforcement agencies more authority to set data security requirements for companies or take action against data thieves. All of the proposals would establish federal notification requirements so consumers would be told when their data has been compromised.
Sen. Dianne Feinstein (D., Calif.) complained that, despite being a Neiman Marcus customer last summer when the data breaches occurred at 77 stores, “I don’t recall getting a notice.”
Feinstein and other lawmakers have particularly focused on how to craft a federal notification standard so people know when their card numbers or other data have been stolen.
“We think the sooner that consumers know their data is compromised, the sooner they can take steps to protect themselves,” said Delara Derakhshani, policy counsel of Consumers Union, publisher of Consumer Reports magazine. She suggested that the timing in current legislative proposals, which would give companies up to 60 days to tell customers about breaches, should be shortened.
Lawmakers spent much of the hearing asking about credit and debit card technologies that could have prevented the Target and Neiman Marcus data thefts.
Target’s Mulligan called for companies to start switching to so-called “chip and PIN” debit and credit smart cards in an op-ed Tuesday in the Capitol Hill newspaper The Hill and said Target was accelerating its own $100 million program to switch technologies. (See Arik Hesseldahl’s explainer on the EMV card technology here.)
As Mulligan noted in his op-ed, one of the reasons the U.S. hasn’t already switched to smart cards is because “all players in the payments system — merchants, issuers, banks and the networks — have not been able to find common ground on how to share the costs of implementation.”
That divide continued Monday at a separate data security hearing in the Senate Banking Committee, which also focused on the cards and greater authority for federal law enforcement to investigate breaches.
Sen. Chuck Grassley (R., Iowa) suggested Tuesday that since there’s such wide, bipartisan support for a national breach notification standard, it’s worth a look at just tackling that first with separate legislation. “This might provide the chance to take action quickly, as we continue work on other issues,” he said.