Congress, White House Demand Faster Disclosure of Security Breaches

Feb. 6, 2014

Congress, White House Demand Faster Disclosure of Security Breaches Retailers spent much of this week in Washington answering to congressional leaders about recent security breaches affecting millions of U.S. consumers. They were not able to offer, however, very many satisfying answers. In a hearing before the Senate Judiciary Committee, representatives from Target and Neiman Marcus, which each disclosed massive network intrusions that compromised the payment-card information of more than 40 million of their customers, apologized to consumers and admitted their systems were compromised despite significant investment in technology to protect customer data.

Michael Kingston, CIO of Dallas-based Neiman Marcus told the committee that “just having the tools and technology isn’t enough in this day and age. These attackers again are very, very sophisticated and they’ve figured out ways around that.”

If hackers are going to continue to be a step ahead of technology designed to thwart them, the White House and Congress indicated they will push for laws speeding up disclosure. Target, for example, disclosed its breach only after investigative journalist Brian Krebs wrote about it.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said that would have to change.

“No one would dispute that businesses need to thoroughly assess the damage when a cyberattack is discovered,” Sen. Leahy said. “But time is of the essence for law enforcement seeking to catch the perpetrator, and also for consumers who want to protect themselves against further exposure. American consumers deserve to know when their private information has been compromised and what a business is doing in response to a cyberattack.”

During the hearing, the Obama administration also signaled the president would support such legislation. Acting Assistant Attorney General Mythili Raman said the White House recommends a uniform federal standard requiring businesses to quickly report thefts of electronic personal information.

“Businesses should be required to provide prompt notice to consumers in the wake of a breach,” Raman said. “American consumers should know when they are at risk of identity theft or other harms because of a data security breach.”

Target CFO John Mulligan told the Senate panel it is accelerating its EMV conversion plans. The company said it will upgrade the POS terminals at all of its more than 1,700 U.S. stores by the end of 2014. Many of the witnesses who testified Tuesday before the Senate repeated the exercise yesterday for a subcommittee of the House Energy and Commerce Committee.