In the wake of recent data breaches at major retailers Target and Neiman Marcus, Senate Judiciary Chairman Patrick Leahy (D-VT) has renewed his efforts to enact stronger data security requirements for companies that collect consumers’ personal data. Sen. Leahy has introduced the Personal Data Privacy and Security Act (S. 1897), detailed in a previous post, which would create a national data breach notification standard. Several other lawmakers have introduced similar legislation or made calls for stronger regulatory enforcement of data security rules. Now, Sen. Leahy has announced that his Committee will hold a hearing on the recent data breaches on February 4, 2014. According to a statement from Committee staff, the hearing will focus on “privacy in the digital age,” including how to prevent data breaches and combat cybercrime. The House Energy & Commerce Committee has also announced it will hold a hearing in early February.
Target is facing increasing scrutiny from lawmakers as revelations about the scope and size of the breach grow. The company has been called to testify before the House Energy & Commerce Committee’s February hearing and is likely to be asked to testify in the Senate hearing as well. Target has sent e-mail notifications to its customers affected by the breach advising them on what information was released and providing a year-long subscription to Experian’s “ProtectMyID” service which provides identity theft insurance. Law enforcement officials and regulators are also expected to testify about the need for increased enforcement authority. Recently, Federal Trade Commissioner Maureen Ohlhausen has called for “regulatory humility” in the face of mounting calls for increased regulations. “We simply do not need new talk, new laws or new regulations,” Commissioner Ohlhausen said at a recent event at the Technology Policy Institute.
While two congressional hearings are already scheduled, more may be on the way. On January 10, 2014, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) and Commerce Consumer Protection Subcommittee Chairman Claire McCaskill (D-MO) sent a letter to Target CEO Gregg Steinhafel asking the company to provide a “briefing to committee staff regarding [Target’s] investigation and latest findings.” Rep. Elijah Cummings (D-MD) the Ranking Member of the House Oversight and Government Reform Committee has urged Chairman Darrell Issa to examine the Target breach as a way to learn about data security failures that could be used to strengthen protection for the federal government’s Affordable Care Act website, Healthcare.gov.
As Congressional attention towards data security and breach notification continues to intensify, companies that collect and use consumer data should review and attempt to strengthen their data security systems and policies in advance of any potential legislative or regulatory action.