WASHINGTON - Stringent requirements to ensure customers are notified promptly when a data breach occurs should be a key part of any new laws to combat cyber crime, officials testified at a congressional hearing Tuesday.
The Obama Administration recommends a uniform federal standard requiring businesses to report data breaches and thefts of electronic personal information quickly, acting assistant attorney General Mythili Raman told the Senate Judiciary Committee.
The hearing is exploring the data breaches at Target and Neiman Marcus, and executives from Twin Cities-based Target are answering tough questions on when they found out about the massive breach, and when they saw fit to inform consumers. .
"Businesses should be required to provide prompt notice to consumers in the wake of a breach," Raman said. "American consumers should know when they are at risk of identify theft or other harms because of a data security breach."
Executives from Target and Neiman Marcus also testified, detailing their responses to recent, massive data breaches. Neiman Marcus Senior Vice President Michael Kingston said the company first learned of a possible problem from its credit processor on Dec. 17 when Mastercard told the retailer that 122 fraudulently used credit cards had last been used at Neiman Marcus.
A forensic team on Jan. 2 confirmed the data breach, which ultimately compromised the accounts 1.1 million customers, Kingston said.
Sen. Dianne Feinstein, D-Calif., said she is a Neiman Marcus shopper and never received notification of the breach. Feinstein said she shopped at the store during the time the malware was stealing the data. Kingston said Neiman Marcus notified online and in-store customers on Jan. 22.
The law should require prompt customer notification, Feinstein said.
"The public notification is always vague, it is non-specific," Feinstein said. "Then the customer finds out in other ways, sometimes brutal ways," that their personal data has been stolen.
Federal Trade Commission Commissioner Edith Ramirez testified that the FTC wants a strong federal data security and breach notification law, Although most states have breach notification laws, a "strong and consistent national requirement would simplify compliance by business while ensuring that all consumers are protected," she said.
The law, in addition requiring retailers and other corporations to comply with a federal data security law, should enable the FTC to bring cases and make data security rules for non-profits, she said.
"Never has the need for legislation been greater," Ramirez said. "With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act. "
The hearing began with Target Chief Financial Officer John Mulligan apologing for the data breach that exposed information involving 110 million Target customers.
"We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back," Mulligan told the panel.
Target learned of the data breach on the evening of Dec. 12 when the Justice Department notified the company of suspicious activity involving payment cards used at Target stores. Mulligan said company officials met with the Justice Department and Secret Service the next day. On Dec. 14, Target hired an independent team of experts to conduct a forensic investigation.
That team confirmed Dec. 15 that "criminals had infiltrated our system, had installed malware on our point-of-sale network and had potentially stolen guest payment card data," Mulligan said. The same day, the company removed the malware "from virtually all registers in our U.S. stores."
The company disabled malware on 25 additional registers on Dec. 18, he said. Within a week of discovery of the breach, the public was notified, he added.
"We have been moving as quickly as possible to share accurate and actionable information with the public," Mulligan said, adding that the company had no knowledge of malware in its system before the Justice Department notification.
"Speed is very important in letting consumers know what's going on," but Target also considered the accuracy of the information they could deliver and whether there was anything the consumer could do, Mulligan said. He added that an "end-to-end" investigation of the breach is continuing.
An estimated 40 million Target credit and debit card accounts were breached late last year, compromising customers' credit and debit card numbers, expiration dates, PIN numbers and codes on the cards' magnetic strips. Also stolen was non-card personal information — names, phone numbers and email and mailing addresses — for up to 70 million Target customers.
Still unknown is how the malicious software that was used to carry out the theft got into Target's computer system and how the hackers stole credentials from a Target vendor to enter the system. The identity of the vendor isn't known, either. The Secret Service has been investigating, and Attorney General Eric Holder has said the Justice Department is conducting a criminal probe.
Consumer Union, the policy and action division of Consumer Reports, is concerned about vulnerabilities in debit cards, which have fewer legal protections than credit cards, policy counsel Delara Derakhshani told the committee.
"While consumers might not ultimately be held responsible if someone steals their debit card and pin number, data thieves can still empty out consumers' bank accounts and set off a cascade of bounced checks and late fees, which victims will have to settle down the road," Derakhshani said. "The burden is being put on consumers to be vigilant to prevent future fraudulent use of their information."
Although Target, Neiman Marcus and other retailers have offered a year of free credit monitoring for customers whose accounts were breached, Derakhshani said such services have drawbacks. Many of the contracts with the credit monitoring services require consumers to agree to mandatory arbitration, giving up their right to go to court if disputes arise.
A digital chip system for storing account information on debit and credit cards by the fall of 2015. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries.
"Chip and PIN" technology could be adopted more quickly than the October 2015 deadline, Derakhshani said. Widespread adoption of technology would require massive changes that will be expensive for processors and retailers, she said.
Target is a proponent of "Chip and PIN" technology and is moving its stores in that direction, Mulligan said.
Neiman Marcus is "certainly willing to consider anything that will make consumer information safer," Kingston said. But he said adopting "chip and PIN" will require a lot of work to change software and deploy the technology.
"I think the answer comes down to money," Derakshani said.