On Tuesday, the Senate Judiciary Committee held a hearing titled “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” The Committee heard from Deputy Special Agent in Charge Noonan and FTC Chairwoman Edith Ramirez, who both offered testimony similar to that of the previous day. The Judiciary Committee also received testimony from representatives from Target and Neiman Marcus, retailers who recently suffered major data breaches and the theft of customer payment information. Both witnesses offered their apologies to their customers and described how hackers had infiltrated their payment systems and installed malicious software to obtain customer payment information. Each retailer witness also explained the efforts they made to notify their customers and offer services such as free credit monitoring. The hearing included testimony from Mythili Raman, Acting Assistant Attorney General for the U.S. Department of Justice, who also called for a uniform breach notification standard. Raman also urged the committee to review and update the Computer Fraud and Abuse Act of 1986. Again, at the Judiciary Committee hearing, there was significant discussion regarding the move to “chip and PIN” payment systems. Chairman Patrick Leahy (D-VT) and Ranking Member Chuck Grassley (R-IA), sponsors of data security and breach notification legislation, had numerous questions for the retailer witnesses pertaining to the on-going investigations, as well as to how and when they notified customers of the breaches.
Witnesses from security firms, including Symantec, pointed to the Target and Neiman Marcus breaches as examples of the rising threat of data breaches. They argued that any federal standards for data security should be flexible in order to allow for innovation, and that best practices or guidelines should be developed through a stakeholder input process that allows for collaboration between companies, consumers and law enforcement.
In general, both hearings highlighted the rising threat of cyber crime and the need for federal data security and breach notification standards. Many senators on both committees were eager to make clear that while they expect retailers and financial institutions to take appropriate measures to secure their customers’ information and to promptly notify consumers of any breaches, the companies themselves are also victims of cyber crimes, and that private industry, government and consumers must work together to prevent such breaches in the future.
The House Energy & Commerce Committee will hold a hearing on Wednesday, February 5, 2014 entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” The hearing will feature many of the same witnesses from the Senate hearings.