On Wednesday, March 26, 2014, the Senate Committee on Commerce, Science and Transportation held a hearing entitled “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches” and heard testimony from representatives of Target, as well as the University of Maryland (UM), regarding the recent data breaches within their organizations. Testimony was also taken from Edith Ramirez, Chairwoman of the Federal Trade Commission (FTC), who has called on Congress to enhance the Commission’s authority to enforce data security measures. Other witnesses included: Ellen Richey, Chief Enterprise Risk Officer for Visa; David Wagner, President, Entrust, Inc.; and Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan. Prior to the hearing, the Committee released a staff report titled “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.”
While several Congressional committees held hearings concerning breaches at Target and other retailers back in February 2014, the March 15 breach at UM (the second at the University in as many months) has continued to keep the issue of data security at the forefront of congressional interest.
UM reported that it learned of a “cyber intrusion” on the morning of March 15; subsequently, UM contacted the Federal Bureau of Investigation (FBI) who, in conjunction with University Police and IT staff, mitigated the breach. They reported that the FBI informed UM that the intrusion resulted in no public release of any information and no damage to the institution, except for the release of personal data of one senior University official, who was notified. UM was the victim of a more significant data breach on February 18, 2014, during which a database containing 309,079 records of faculty, staff, students and affiliated personnel was compromised. The records included names, Social Security numbers, dates of birth, and University identification numbers. University officials have said the two breaches are unrelated.
The focus of the hearing was to “examine the risks these recent data breaches pose for consumers, the current lack of federal data security protections, and several data security bills pending before the Senate Commerce Committee that would establish such federal standards.” In his opening statement, Chairman Jay Rockefeller (D-WV) strongly criticized Target for not taking adequate steps to secure and protect customers’ data. “I think we can all agree that if Target – or any other company – is going to collect detailed information about its customers, they need to do everything possible to protect it from identity thieves. It is now well known that Target fell far short of doing this.” Going further, Chairman Rockefeller said that “it is increasingly frustrating to me that organizations are resisting the need to invest in their security systems. Target must be a clarion call to businesses, both large and small, that it’s time to invest in some changes.” The changes he suggested would include:
Directing the FTC to circulate rules requiring companies to adopt reasonable, but strong, security protocols.
Requiring companies to notify affected consumers in the wake of a breach.
Authorizing both the FTC and state attorneys general to seek civil penalties for violations of the law.
In his closing, Chairman Rockefeller noted that Snapchat, another company that suffered a data breach in the past few months, declined an invitation to testify. “Finally, I would be remiss if I did not publicly note that representatives from the company Snapchat declined my invitation to testify today. When people refuse to testify in front of this Committee, instinct tells me they are hiding something. In this instance, on this subject, I think it warrants closer scrutiny.”
Ranking Member John Thune (R-SD) took a more balanced stance in his statement, noting that data breaches happen both in the private sector and within federal agencies. He stated that he supports a uniform federal breach notification standard to replace the patchwork of laws in 46 states and the District of Columbia.
FTC Chairwoman Edith Ramirez delivered testimony similar to that given in the past at other data breach hearings, covering existing FTC authority and efforts to combat breaches, as well as providing guidance on how to secure consumer data. She reiterated her support for federal legislation that would strengthen data security standards and require companies to notify consumers of a breach. Both representatives from Target and UM detailed the steps they are taking to mitigate the damage from their respective breaches and strengthen their security systems.
The U.S. Securities and Exchange Commission (SEC) also held a Cybersecurity Roundtable today to discuss the cybersecurity landscape, public company disclosure, market systems and market participants with representatives from the SEC and other agencies, academia, industry and law firms participating.