Target is facing increasing scrutiny from lawmakers as revelations about the scope and size of the breach grow. The company has been called to testify before the House Energy & Commerce Committee’s February hearing and is likely to be asked to testify in the Senate hearing as well. Target has sent e-mail notifications to its customers affected by the breach advising them on what information was released and providing a year-long subscription to Experian’s “ProtectMyID” service which provides identity theft insurance. Law enforcement officials and regulators are also expected to testify about the need for increased enforcement authority. Recently, Federal Trade Commissioner Maureen Ohlhausen has called for “regulatory humility” in the face of mounting calls for increased regulations. “We simply do not need new talk, new laws or new regulations,” Commissioner Ohlhausen said at a recent event at the Technology Policy Institute.
While two congressional hearings are already scheduled, more may be on the way. On January 10, 2014, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) and Commerce Consumer Protection Subcommittee Chairman Claire McCaskill (D-MO) sent a letter to Target CEO Gregg Steinhafel asking the company to provide a “briefing to committee staff regarding [Target’s] investigation and latest findings.” Rep. Elijah Cummings (D-MD) the Ranking Member of the House Oversight and Government Reform Committee has urged Chairman Darrell Issa to examine the Target breach as a way to learn about data security failures that could be used to strengthen protection for the federal government’s Affordable Care Act website, Healthcare.gov.
As Congressional attention towards data security and breach notification continues to intensify, companies that collect and use consumer data should review and attempt to strengthen their data security systems and policies in advance of any potential legislative or regulatory action.