WASHINGTON Lawmakers keep trying to move legislation aimed at strengthening data security even if they are still not finished upbraiding retailers for recent breaches.
Witnesses and members of the Senate Commerce Committee repeated calls for legislative steps requiring security standards for organizations that keep sensitive data and notification to consumers when breaches occur. But the March 26 hearing also provided another opportunity to take Target to task after last year's breach exposed the personal information of as many as 110 million of the retailer's customers.
"We can all agree that if Target or any other company is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves," said Sen. Jay Rockefeller, D-W.Va., the committee's chairman. "It is now well known that Target fell far short of doing this."
The hearing came one day after the committee released a report identifying ways Target could have further strengthened its payment security system to mitigate the threat of a breach. Among the report's findings were that the retailer violated information security practices when it allowed a third-party vendor with weak security measures to access the Target network; and that it failed to respond to automated warnings about malware that attackers were installing on its system.
John Mulligan, Target's chief financial officer, said the company is asking "hard questions" about what steps it could have taken before the breach to prevent it.
"In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound," Mulligan said. "We are working diligently to answer these questions."
He said Target is moving up its adoption of new chip payment technology. Chip-ready devices have been installed in about 10,000 stores and full installation is expected by September, six months sooner than scheduled, Mulligan said. "We also expect to begin to issue chip-enabled Target REDcards and accept all chip-enabled cards by early 2015."
A whole slew of data security bills have been introduced or reintroduced in the Senate with lawmakers proposing, among other things, to develop uniform standards for notifying those affected by a breach. Rockefeller has legislation co-sponsored by other Democrats with provisions including new Federal Trade Commission rules for companies that keep consumers' personal information.
Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., recently reintroduced their bill, supported by the banking industry, aimed at better protecting consumer information while also setting new notification standards for when a breach occurs. Sen. Patrick Leahy, D-Vt., has also reintroduced a similar bill.
"A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm," Sen. John Thune, R-S.D. the committee's ranking member who cosponsored a data security bill last year with Sen. Pat Toomey, R-Pa. in a statement prepared for the hearing. "Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses."
In written testimony, Edith Ramirez, who chairs the FTC, said lawmakers should authorize regulators to fine organizations that run afoul of notification standards.
"To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances," Ramirez said.