Washington – As executives from Target and Neiman Marcus prepared to tell a Senate panel how hackers stole personal information from millions of their customers, Sen. Richard Blumenthal introduced a new data security bill.
Blumenthal’s bill, introduced Tuesday, would require the Federal Trade Commission to set standards for protection of bank and retail credit cards and debit cards. Co-sponsored by Sen. Ed Markey, D-Mass., the legislation would also require merchants to promptly notify customers of a data breach.
But witnesses form Target and Neiman Marcus, who testified about data breaches that have potentially made millions of Americans vulnerable to identity theft, told a Senate Finance Committee the retailers do not need new laws to safeguard their customer’s personal information.
John Mulligan, Target chief financial officer and executive vice president, apologized several times for the breach, which was brought to the attention of the company by the Justice Department and the Secret Service.
“We will learn from this incident and, as a result, we hope to make Target, and our industry, more secure for customers in the future,” Mullligan said.
Blumenthal, D-Conn., and other members of the Senate Finance Committee pressed Mulligan and Neiman Marcus CIO Michael Kingston on the use of so-called “chip and PIN” technology that’s widely used in Europe.
This technology calls for a microchip to be embedded in every card and requires the use of a personal identification number for every transaction with a debit or credit card.
Most American debit and credit cards rely on decades-old magnetic strips. The Target breach was attributed to the infiltration by malware of the card reader system the store used to read magnetic strips on credit cards.
“The fact that American retailers are behind Europe and the rest of the world in chip and pin technology is repugnant,” Blumenthal said.
Mulligan said Target will spend $100 million to issue its customers new TargetRED cards with chip and pin technology and has sped up the process of replacing its old cards .
An estimated 40 million credit and debit card accounts of customers who shopped the company’s U.S. stores from Nov. 27 through Dec. 18, 2013, were affected by the Target breach. Customers’ names, credit and debit card numbers, expiration dates and personal identification numbers were stolen. Up to 70 million Target customers are vulnerable to the theft of non-card personal information, including names, phone numbers and email and mailing addresses.
Neiman Marcus’ Kingston told the committee that payment card information from transactions at 77 of 85 stores between July and October has been stolen.
“Public confidence is crucial to our economy,” said Sen. Patrick Leahy, D-VT. “ If consumers lose faith in business’ ability to protect their personal information, our economic recovery will falter. ”
Blumenthal said the retail industry “has a record of failure.”
“This information is not yours,” Blumenthal said. “It’s entrusted to you, but it belongs to the consumers.”
Senators said the data breaches are likely to continue without new practices to safeguard information. Congress has wrestled with proposals for data security for years. Blumenthal’s bill is just the latest.
But lawmakers have not been able to come to agreement on the issue.
The threat and dangers of data breaches are also not unique to the retail industry. There have been significant data breaches involving Sony, Epsilon, and Coca-Cola and Yahoo!, as well as federal government agencies such as the Departments of Veterans Affairs and Department of Energy.
According to the Privacy Rights Clearinghouse, more than 662 million records have been involved in data breaches since 2005. Fran Rosch, Symantec Corp.’s senior vice president of security products, said the type of hacking Target and Neiman Marcus were subjected to is not new, but the pace of attacks is increasing.
“So the conversation should be about breaches – plural – not just one breach. It should be about how they are happening, how government can go after the sophisticated criminal enterprises that steal the data, and what organizations can do to prevent and minimize the risk of a successful attack,” Rosch said.
Rosch also said any new security standard would have to be flexible enough to change with the increasingly sophisticated threats from hackers.