By Kate Tummarello - 02/04/14 05:27 PM EST
Senate Democrats pushed for a set of standards governing how companies defend against and respond to data breaches.
The repeated calls for data security and breach notification standards at a Senate Judiciary Committee hearing Tuesday. The hearing included representatives from Target and Neiman Marcus, both of which suffered from data breaches affecting millions of consumers in recent months.
“We want to give you a framework … that protects consumers, so they know what their rights are … but also protects businesses,” Senate Judiciary Chairman Patrick Leahy (D-Vt.) said. Last month, Leahy introduced a bill that would impose criminal penalties for companies that fail to notify customers after a data breach.
Strong data security protections are going to be necessary to ensure that U.S. consumers trust the companies processing their data, Leahy said.
Senate Judiciary ranking member Chuck Grassley (R-Iowa) seemed optimistic that a set of flexible rules could be crafted, “as opposed to burdensome government regulation.”
“We’re all trying to find the same solution” to address the need for consumer data protection, he said.
During the hearing, Federal Trade Commission Chairwoman Edith Ramirez spoke to her agency’s recognition of this need for flexibility.
While “it’s important that customers be notified reasonably promptly,” — usually within 60 days — the FTC understands if companies need to delay notification to comply with ongoing law enforcement investigations, she said.
Sen. Dianne Feinstein (D-Calif.) said companies need to inform customers after data breaches and pushed the witnesses for more information regarding when the companies found out about the breaches and what steps they took to respond.
“I am a shopper at your institution, and I don’t recall getting any notice,” Sen. Dianne Feinstein said to Neiman Marcus Chief Information Officer Michael Kingston.
Feinstein also asked Target Chief Financial Officer John Mulligan why the company did not contact customers individually about the data breach.
Mulligan replied that the company does not have contact information for all of the customers that may have been impacted.
“So you were depending on the public for your notice,” she said, referring to news reports about the breaches.
While pushing the retail representatives for more information on the breaches, committee members thanked the companies for testifying on the topic.
“It’s not easy to be the face of the industry that really bears the responsibility for, what I see, as a record of failure,” Sen. Richard Blumenthal (D-Conn.) said.
Earlier on Tuesday, Blumenthal — along with Sen. Ed Markey (D-Mass.) — announced a data security bill that would establish “a process for helping companies to establish appropriate security plans to safeguard sensitive consumer information” and require “companies to promptly notify consumers after a breach has occurred.”
The retail representatives said they would support data security and breach notification standards crafted with input from the companies that would follow those standards.
“I think guidelines and standards are always helpful, particularly in this case,” Kingston said.
“Private industry and government have to work together here,” Mulligan said, adding that Target has been compliant with law enforcement officials.