Senate Democrats pushed for a set of standards governing how companies defend against and respond to data breaches.
The repeated calls for data security and breach notification standards at a Senate Judiciary Committee hearing Tuesday. The hearing included representatives from Target and Neiman Marcus, both of which suffered from data breaches affecting millions of consumers in recent months.
“We want to give you a framework … that protects consumers, so they know what their rights are … but also protects businesses,” Senate Judiciary Chairman Patrick LeahyPatrick LeahySenate braces for fallout over Supreme Court fight Register of copyrights should be presidential appointee GOP senator on going nuclear: 'I really hope that it doesn't come to that' MORE (D-Vt.) said. Last month, Leahy introduced a bill that would impose criminal penalties for companies that fail to notify customers after a data breach.
Strong data security protections are going to be necessary to ensure that U.S. consumers trust the companies processing their data, Leahy said.
Senate Judiciary ranking member Chuck GrassleyChuck GrassleyOvernight Finance: Dems seek probe of acting SEC chief | Defense hawks say they won't back short-term funding | Senate seen as start point for Trump infrastructure plan | Dems want more money for IRS Overnight Regulation: Trump administration lifts Obama freeze on federal coal mining Senators offer bill aimed at helping IRS whistleblowers MORE (R-Iowa) seemed optimistic that a set of flexible rules could be crafted, “as opposed to burdensome government regulation.”
“We’re all trying to find the same solution” to address the need for consumer data protection, he said.
During the hearing, Federal Trade Commission Chairwoman Edith Ramirez spoke to her agency’s recognition of this need for flexibility.
While “it’s important that customers be notified reasonably promptly,” — usually within 60 days — the FTC understands if companies need to delay notification to comply with ongoing law enforcement investigations, she said.
Sen. Dianne FeinsteinDianne FeinsteinOvernight Regulation: Trump repeals 'blacklisting' rule Dems delay Senate panel vote on Supreme Court nominee Dems get it wrong: 'Originalism' is mainstream, even for liberal judges MORE (D-Calif.) said companies need to inform customers after data breaches and pushed the witnesses for more information regarding when the companies found out about the breaches and what steps they took to respond.
“I am a shopper at your institution, and I don’t recall getting any notice,” Sen. Dianne Feinstein said to Neiman Marcus Chief Information Officer Michael Kingston.
Feinstein also asked Target Chief Financial Officer John Mulligan why the company did not contact customers individually about the data breach.
Mulligan replied that the company does not have contact information for all of the customers that may have been impacted.
“So you were depending on the public for your notice,” she said, referring to news reports about the breaches.
While pushing the retail representatives for more information on the breaches, committee members thanked the companies for testifying on the topic.
“It’s not easy to be the face of the industry that really bears the responsibility for, what I see, as a record of failure,” Sen. Richard BlumenthalRichard BlumenthalSenators introduce new Iran sanctions Senators demand Pentagon action after nude photo scandal Gorsuch rewrites playbook for confirmation hearings MORE (D-Conn.) said.
Earlier on Tuesday, Blumenthal — along with Sen. Ed MarkeyEd MarkeySenate Dem: Trump is attacking science Overnight Energy: Trump signs climate order | Greens vow to fight back House passes bill undoing Obama internet privacy rule MORE (D-Mass.) — announced a data security bill that would establish “a process for helping companies to establish appropriate security plans to safeguard sensitive consumer information” and require “companies to promptly notify consumers after a breach has occurred.”
The retail representatives said they would support data security and breach notification standards crafted with input from the companies that would follow those standards.
“I think guidelines and standards are always helpful, particularly in this case,” Kingston said.
“Private industry and government have to work together here,” Mulligan said, adding that Target has been compliant with law enforcement officials.