February 05, 2014

Lawmakers, witnesses talk data security standards

More calls for a federal standard on data security and breach notifications in light of the recent Target breach and others were made Wednesday during a House Energy and Commerce subcommittee hearing, as urged by NAFCU in a letter to subcommittee leaders on Tuesday.

Federal Trade Commission Chairwoman Edith Ramirez, in her testimony and in response to questions, supported federal standards on breach prevention and notification during the hearing, held by the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. NAFCU is pressing for similar standards for retailers but is urging against added burden for financial institutions, which are already subject to data protection measures under the Gramm-Leach-Bliley Act.

The Obama administration is also recommending a federal standard of notification after a business discovers a breach in consumers' data, as noted by Acting Assistant Attorney General Mythili Raman during a Senate Judiciary Committee hearing Tuesday.

During Wednesday's hearing:

  • Illinois State Attorney General Lisa Madigan said a national standard should not preempt state efforts, and Ramirez agreed. Madigan said "federal laws should be a floor, not a ceiling."
  • Rep. Peter Welch, D-Vt., reiterated his view that chip-and-pin card technology would protect against future retailer data breaches. Echoing a view held by NAFCU, Ramirez said any bill enacted should not favor one technology over another.
  • Target Corporation Executive Vice President and CFO John Mulligan apologized to consumers affected by the security data breach. Testifying alongside witnesses for the Neiman Marcus Group, PCI Security Standards Council and Trustwave Holdings, he said the corporation will work to rebuild its reputation and customers' trust.
  • The hearing included an exchange between Rep. Marsha Blackburn, R-Tenn., and PCI witness Bob Russo. Russo said that while there is no precise information on what happened at Target, over the last seven years all major breaches have resulted from basic exploits that could have been defeated if retailers had better security in place.