Calls for Regulatory Overhaul as Congressional Hearings Continue on Data Security (Feb. 6, 2014)
Lawmakers yesterday continued their calls to strengthen regulations protecting consumers’ financial data in the wake of recent retailer data breaches. The series of Capitol Hill hearings kicked off on Monday with a Senate Banking Subcommittee hearing that included testimony from officials from the Secret Service, the Federal Trade Commission, the American Bankers Association and the National Retail Federation. The hearings are being held in part to examine whether new laws should be enacted to ensure that consumer data is protected from cybercriminals.
The thieves who engineered the Target breach were able to slip malware into the retailer’s system in such a way that it evaded detection by commercially available antivirus programs, according to an official from the Dept. of Homeland Security’s cybersecurity operations who testified before the House committee. Secret Service Deputy Special Agent William Noonan, who also testified on Wednesday, agreed that the attackers were most likely “highly technical and sophisticated,” and said they were probably not from the U.S.
But Illinois AG Lisa Madigan, who is co-heading a multistate investigation of the breaches, told the House panel that retailers often leave themselves vulnerable to cyberattacks by making simple mistakes like using weak passwords, failing to encrypt customer information and failing to use the most updated versions of antivirus software. Madigan declined to discuss the details of her investigation, but she said the country is facing “an epidemic of data breaches,” which have caused billions of dollars of damage to the economy.
In the wake of the breaches, several lawmakers and regulators have called for passing new legislation to bolster consumer data security. During Wednesday’s hearing, Rep. Fred Upton (R.-Mich.), chairman of the Energy & Commerce Committee, said an overhaul to the existing regulatory structure could be needed. “We must consider whether the current multilayer approach to data security—federal, state and industry self-regulation—can be more effective, or whether we need to approach the issue differently,” Upton said in his prepared remarks.
During the same hearing, FTC Chairwoman Edith Ramirez called for a strong federal law covering data security and breach notifications. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act,” Ramirez said on Wednesday. During the Senate subcommittee hearing on Monday, Senator Elizabeth Warren (D.-Mass.) said Congress should consider giving the FTC more authority to push retailers to increase their data security.