March 26, 2014

Target supports calls for data breach notification

March 27, 2014 – Senate Commerce Committee leaders and all witnesses, including those from the Federal Trade Commission and Target, expressed support for a national data breach notification standard during Wednesday's hearing on protecting consumers' personal data from cybersecurity attacks.

"A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm," committee Ranking Member John Thune, R-S.D., said in his opening statement. "Such a standard would also provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses."

Notification aside, Sen. Claire McCaskill, D-Mo., also spoke up to emphasize that whatever is being said about the costs of data breaches on merchants – due to lost consumer confidence and the like – the true costs of these incidents are being borne by credit unions and banks that are replacing consumers' payment cards, reimbursing consumers for fraudulent charges and providing account monitoring when data is stolen.

Wednesday's hearing looked at the impact of data breaches on consumers and legislation that would establish federal data security standards, including S. 1193, the "Data Security and Breach Notification Act of 2013" and S. 1976, the "Data Security and Breach Notification Act of 2014," introduced by committee Chairman John Rockefeller IV, D-W.Va.

NAFCU has emphasized that while S. 1976 is a comprehensive effort that moves the conversation forward, any data security legislation must recognize credit unions' compliance with the Gramm-Leach-Bliley Act and not subject them to new onerous or duplicative regulation.

During Wednesday's hearing, Rockefeller formally introduced his staff report, "A ‘Kill Chain' Analysis of the 2013 Target Data Breach," that details ways in which Target may have failed to take advantage of several opportunities to prevent the recent breach.