Today in Washington, a congressional Banking, Housing, and Urban Affairs subcommittee met to discuss recent consumer financial data breaches, and the role retailers, bankers, and the government must play to prevent them from happening again. Leading the subcommittee was Congressman Mark Warner of Virginia, who detailed the necessity for swift action. He repeatedly called for unity among all players — including bankers, retailers, and credit cards — noting that all must be on the same page and not consider the others antagonists in order to successfully protect millions of consumers’ personal data.
The elephant in the room was undoubtedly the ongoing Target and Neiman Marcus security breach, which allowed hackers access to millions of customers personal financial information. Executives from these companies will be testifying to Congress in the coming weeks. The looming question on the tip of each senator’s tongue was, what can be done to prevent such a data fiasco from happening again?
Senator Mark Warner, the subcommittee’s chair, noted that last year cyber crime caused reportedly $300 billion in damage, and that that statistic has most definitely increased over the last year. He questions the tactics the Secret Service has taken when looking at and trying to block large-scale security breaches. “Why is that that the security service or even security bloggers are the first to know of these attacks,” pointing to private companies and news outlets who made the Target story public. He then queried, “why is it taking us so long to respond?”
The first panelists at the hearing — William Noonan, Deputy Special Agent in Charge of the US Secret Service, and Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection — didn’t provide too much insight into either of these question. They did insist, of course, that their organizations are working to protect such crimes from happening again. Given the constantly evolving state of cybercrime Noonan noted that “malware can be molded and changed per attack.” And he ultimately agreed that the legislative action would help his organization a great deal.
Ms. Rich repeatedly harped on the fact that there is no federal standard for data security practices. “It would be extremely helpful to have a federal law around data security… with civil penalties,” she said. She continued repeating this as the hearing continued.
Massachusetts Senator Elizabeth Warren, perhaps the most outspoken and well-known when it comes to the government’s role in protecting consumer data, catechized this lack of standard, and repeatedly interrogated Rich about the efficacy of current FTC data regulations. Under current FTC rules, only companies that make false claims about their data practices to the public are given FTC scrutiny. If a company makes no claim about how they treat their data, that’s a different story. “If a company’s security standards are inadequate and the company says nothing about them, then the FTC is powerless,” Warren explained.
Though Rich tried to combat this point saying there are other FTC safeguards to protect consumer data from poor private security standards, she ultimately acknowledged Warren’s claims. “We do need more tools,” Rich said. This seems more than obvious, as the FTC has only gone after thirty companies for deceptive security practices and merely twenty for unfair practices in the last decade.
Following Rich and Noonan were testimonies from a panel of bankers, retail executives, and security experts. What commenced was a lengthy discussion about the necessity to implement new security safeguards, such as credit card chips and PINs. All the senators seemed to agree that better technological safeguards needed to be put into place — many of whom pointed to Europe as a beacon of safer credit and debit card transactions.
And, of course, with issues like consumer data protection, it’s not surprising that there’s a general tenor of agreement. People’s information should be safe. Where industries and senators differ, however, are in how this should be approached. For example, Senator Mike Johanns from Nebraska who noted that the majority of successful cybercriminals seem to hail from countries in Eastern Europe. “It looks to me like Eastern Europe is a sanctuary if you’re a hacker,” he said.
At the same time, this was all just lip service; no real agreement on how to proceed was came to. It’s the future bills that will speak to the efficacy of these kinds of hearings.
With more security breaches being brought to the public’s eye, it’s apparent that retailers and banks alike need to figure out how protect against this. The Independent Community Bankers of America provided a statement this morning explaining that a good first step would be to holding retailers accountable to the same security standards as banks.
These standards are from a piece of legislation called the Gramm-Leach-Bliley Act (GLBA), which work toward “secreting consumer data at financial institutions.” As the ICBA’s statement explained, “to adequately protect consumers and the payments system, all participants in the payment system should be subject to GLBA-like standards.”
This goes along with Ms. Rich’s comments the the FTC should be able to implement federal standards to all parties dealing with consumer data.
As with all political rigmarole comes the waiting time compounded with the lobbying time. While politicians are slowly debating why and how to approach these issues, with so many financial institutions’ skins on the line, hackers are getting better at infiltrating networks. The current standards, or lack thereof, aren’t cutting it.
Or, as Senator Warren aptly put it, “we may need some pressure from the government.” And by pressure, she means any proactive movement whatsoever.
[Image for Pando by Brad Jonas]