Following massive security breaches that hit retailers like Target and Neiman Marcus, a Federal Trade Commission (FTC) official told Congress on Monday that the need has never been greater for data security legislation.
“While we have tools and we're using them to address data security failures by companies, it would be extremely helpful to have a federal law requiring data security, not just notification, with civil penalties,” Jessica Rich, director of the FTC’s bureau of consumer protection, told the Senate Banking Committee’s national security subpanel.
“It is also important that companies shore up their systems as much as they can against attacks,” she said. “We need to attack this problem from different angles.”
Currently, there are state laws requiring breach notification, but no standard at the federal level and no civil penalties, Rich noted. The FTC supports both federal standards for data security and requiring companies to notify consumers after a security breach.
Sen. Jon Tester, D-Mont., agreed there should be “across the board” breach notification requirements “because time is literally money in the situation.”
“If there is a breach that happens and that retailer withholds the information, or for some reason the banking institution may want to -- I don't know why, but I don't know why either one would want to, quite frankly -- you guys need to know about it immediately,” he said to Rich and William Noonan, deputy special agent in charge at the U.S. Secret Service.
Noonan noted how widespread cyber breaches have become -- the Bureau of Justice Statistics estimates that more than 16 million people were victims of identity theft in 2012 alone. Yet aside from some laws specifically pertaining to health records, Rich noted that the FTC’s authorities in this area haven’t been significantly updated since the Gramm-Leach-Bliley Act passed in 1999.
That 1999 law, Rich noted, provides a model for building flexible regulations that can evolve as technology evolves.
Subcommittee Chairman Mark Warner, D-Va., noted that while government has a role to play, “this is fundamentally a technology problem.” Data shows that the “chip and PIN” security system that retailers and credit card companies use in Europe is more effective at preventing fraud at the point of sale than the “swipe” system used in the U.S., he pointed out.
“We don't need another... long-term fight between the bankers, the retailers, and the card industry,” Warner said. “The hackers in Russia, China, Ukraine, throughout the world, are not waiting for America to get its act together on this issue. They are continuing to strike us every day. To better protect consumers, our financial institutions, the networks and merchants should work together to continue to innovate on anti-fraud technology.”The public, he said, “cannot afford a year or multiple years of legislative battles like we saw over interchange fees.”