Recent cyberattacks on payment systems at Target Corp. and other U.S. retailers show that U.S. laws designed to protect consumer data need updating, lawmakers said at the first of three congressional hearings on the matter.
Senate Banking Committee members yesterday called for requiring retailers to participate in a national data-breach notification system and granting wider authority for the Federal Trade Commission to investigate incidents. Senator Mark Kirk, an Illinois Republican, said he would introduce a bill to set a minimum 25-year sentence for violations of federal data-theft laws.
“This is a real problem that the FTC’s enforcement authority in this area is so limited,” Senator Elizabeth Warren, a Massachusetts Democrat, said of the agency’s role in data-breach cases. “Data-security problems aren’t going away on their own so Congress really needs to consider whether to strengthen the FTC’s hand.”
The hearings continue today as Target’s executive vice president and chief financial officer, John Mulligan, takes questions from the Senate Judiciary Committee along with representatives of the Secret Service and other law enforcement agencies. A third hearing, by the House Commerce Committee, follows tomorrow.
At stake is about $40 billion of revenue earned by card issuers including JPMorgan Chase & Co., as well as the profits of Target and other retailers affected by the breaches. More than $3 trillion in U.S. customer transactions take place each year through the point-of-sale systems infiltrated by the hackers, according to David Robertson, publisher of the Nilson Report, an industry newsletter based in Carpinteria, California.
Names as well as home and e-mail addresses for as many as 70 million Target customers were taken, the Minneapolis-based company said in a Jan. 10 statement.
Proposals before Congress include setting national standards for database security and notifying customers when breaches occur. Senators Tom Carper, a Delaware Democrat, and Patrick Leahy, a Vermont Democrat, have re-introduced previous data-security bills. Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat, offered a new measure on Jan. 30 for customer notifications.
Senator Mark Warner, a Virginia Democrat, said the card industry needs legislation aligning their data-breach standards for credit and debit cards while retailers need notification obligations.
“I would support legislation that would equalize consumer protection for all forms of plastic,” Warner said in an interview. “The notion that you have one set of protections for credit cards and a different one for debit -- I didn’t know that three weeks ago and that ought be addressed. I do believe we need clearer standards on, probably set in law, on your obligation to report when you see a breach.”
The 1999 Gramm-Leach-Bliley Act requires financial institutions to notify customers of data breaches. Without such a federal notification requirement, retailers must follow varying laws in 46 states.