Senate Committees Hold Data Security Hearings

On Monday, February 3, and Tuesday, February 4, the Senate Banking and Senate Judiciary Committees (respectively) held hearings on the topic of data security and breach notification. Witnesses at both hearings included representatives from the Federal Trade Commission (FTC), the U.S. Secret Service, Target, Neiman Marcus and security firms such as Symantec.

On Monday, the Senate Banking Committee’s Subcommittee on National Security and International Trade and Finance held a hearing entitled “Safeguarding Consumers’ Financial Data.” The hearing focused on the criminal hacking of consumers’ financial data, including payment card information. Witnesses from the FTC and U.S. Secret Service outlined the existing investigative tools and enforcement authority to deal with these types of crimes. Jessica Rich, Director of the FTC Bureau of Consumer Protection, told the Committee that the FTC supports the creation of a federal standard for data security and breach notification, along with civil penalties for non-compliance. Much of the discussion focused on the transition of the payment card industry to a “chip and PIN” security standard, which would place microchips in payment cards and require personal identification numbers for processing retail transactions. Further, there were many questions regarding the extradition and prosecution of criminal actors who commit cyber crimes from locations outside the United States. U.S. Secret Service Deputy Special Agent in Charge William Noonan told the committee that extradition depends on the laws of the country where the hacker is physically located, and that some European countries have better records of extraditing persons suspected of committing crimes than others.

On Tuesday, the Senate Judiciary Committee held a hearing titled “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” The Committee heard from Deputy Special Agent in Charge Noonan and FTC Chairwoman Edith Ramirez, who both offered testimony similar to that of the previous day. The Judiciary Committee also received testimony from representatives from Target and Neiman Marcus, retailers who recently suffered major data breaches and the theft of customer payment information. Both witnesses offered their apologies to their customers and described how hackers had infiltrated their payment systems and installed malicious software to obtain customer payment information. Each retailer witness also explained the efforts they made to notify their customers and offer services such as free credit monitoring. The hearing included testimony from Mythili Raman, Acting Assistant Attorney General for the U.S. Department of Justice, who also called for a uniform breach notification standard. Raman also urged the committee to review and update the Computer Fraud and Abuse Act of 1986. Again, at the Judiciary Committee hearing, there was significant discussion regarding the move to “chip and PIN” payment systems. Chairman Patrick Leahy (D-VT) and Ranking Member Chuck Grassley (R-IA), sponsors of data security and breach notification legislation, had numerous questions for the retailer witnesses pertaining to the on-going investigations, as well as to how and when they notified customers of the breaches.

Witnesses from security firms, including Symantec, pointed to the Target and Neiman Marcus breaches as examples of the rising threat of data breaches. They argued that any federal standards for data security should be flexible in order to allow for innovation, and that best practices or guidelines should be developed through a stakeholder input process that allows for collaboration between companies, consumers and law enforcement.

In general, both hearings highlighted the rising threat of cyber crime and the need for federal data security and breach notification standards. Many senators on both committees were eager to make clear that while they expect retailers and financial institutions to take appropriate measures to secure their customers’ information and to promptly notify consumers of any breaches, the companies themselves are also victims of cyber crimes, and that private industry, government and consumers must work together to prevent such breaches in the future.

The House Energy & Commerce Committee will hold a hearing on Wednesday, February 5, 2014 entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?”  The hearing will feature many of the same witnesses from the Senate hearings.