Column: Senate eyes reform following retail data breaches
The U.S. Senate on Wednesday held a hearing about how to best protect consumer information in light of the recent data breach at Target Corp.
The Target cyberattack, which occurred in the middle of the holiday shopping season, exposed 40 million debit and credit card numbers and the email addresses of nearly 70 million people to identity thieves.
But it was by no means an isolated incident.
There were 2,164 data breaches exposing more than 822 million records reported worldwide last year, with nearly half occurring in the U.S., according to a report from Risk Based Security Inc.
Business breaches accounted for nearly three-quarters of the records exposed last year, and the Target incident wasn’t the largest.
A single hack at Adobe Systems exposed 152 million customer names, passwords and debit or credit card numbers last year, the largest breach ever, according to Risk Based Security.
Because retailers are not just collecting payment information from customers, but track what we buy and look at online, the Senate Committee on Commerce, Science and Transportation is looking at how to best protect that information from hackers.
Committee Chairman Jay Rockefeller, D-W.Va., said we now live in an era of “big data,” and if retailers are going to collect customer details, they should do everything possible to protect it.
“There has been a lot anxiety lately about what kind of information the federal government may be collecting about American citizens, as part of the efforts to protect our country from the ongoing terrorist threat,” Rockefeller said. “But the truth is that private companies like Target hold vastly larger amounts of sensitive information about us than the government does. And they spend much less time and money protecting their sensitive data than the government does.”
The federal government spent more than $14.6 billion on IT security in fiscal year 2012, and even that did not protect its systems. In 2012, federal agencies reported more than 22,000 data breach incidents — more than double what was reported in 2009.
David Wagner, president of security firm Entrust, said most organizations focus spending on throwing up a firewall to protect systems from outside attackers. But he said direct attacks are no longer the key threat.
Instead, hackers target one or more employees who have access to key systems. They send an official-looking email containing a link that infects the employee’s PC with corrupt software. That allows the hacker to use the employee’s computer and security access to corrupt the rest of the network.
Senators from both parties have drafted bills to require companies to adopt uniform security protocols based on the best practices currently in use.
Rockefeller also wants to require companies to immediately notify affected customers in the wake of a break. He would also give the Federal Trade Commission and state attorneys general the power to seek civil penalties if companies break the law.
The National Retail Federation supports efforts to create a uniform federal data security and breach notification law. It also supports changing credit cards from a signature-based to PIN-based transaction system, similar to debit cards.
But the organization also cautioned Congress against penalizing hacked retailers too hard, pointing out they too are victims.
“Traditionally, we don’t blame the victim of violence for the resulting stains; we should be similarly cautious about penalizing the hackee for the hack,” the organization said in a statement to the committee.