Senate Democrats pushed for a set of standards governing how companies defend against and respond to data breaches.
The repeated calls for data security and breach notification standards at a Senate Judiciary Committee hearing Tuesday. The hearing included representatives from Target and Neiman Marcus, both of which suffered from data breaches affecting millions of consumers in recent months.
“We want to give you a framework … that protects consumers, so they know what their rights are … but also protects businesses,” Senate Judiciary Chairman Patrick LeahyPatrick LeahyThe Hill's 12:30 Report The Hill's 12:30 Report Passing US-Canada preclearance would improve security and economy MORE (D-Vt.) said. Last month, Leahy introduced a bill that would impose criminal penalties for companies that fail to notify customers after a data breach.
Strong data security protections are going to be necessary to ensure that U.S. consumers trust the companies processing their data, Leahy said.
Senate Judiciary ranking member Chuck GrassleyChuck GrassleyDem senator seeks more time for 'due diligence' on Sessions nomination Senate sets date for hearings on Sessions's attorney general nomination Mnuchin, Price meet with GOP senators MORE (R-Iowa) seemed optimistic that a set of flexible rules could be crafted, “as opposed to burdensome government regulation.”
“We’re all trying to find the same solution” to address the need for consumer data protection, he said.
During the hearing, Federal Trade Commission Chairwoman Edith Ramirez spoke to her agency’s recognition of this need for flexibility.
While “it’s important that customers be notified reasonably promptly,” — usually within 60 days — the FTC understands if companies need to delay notification to comply with ongoing law enforcement investigations, she said.
Sen. Dianne FeinsteinDianne FeinsteinDem senator seeks more time for 'due diligence' on Sessions nomination Senate sets date for hearings on Sessions's attorney general nomination Senators move to protect 'Dreamers' MORE (D-Calif.) said companies need to inform customers after data breaches and pushed the witnesses for more information regarding when the companies found out about the breaches and what steps they took to respond.
“I am a shopper at your institution, and I don’t recall getting any notice,” Sen. Dianne Feinstein said to Neiman Marcus Chief Information Officer Michael Kingston.
Feinstein also asked Target Chief Financial Officer John Mulligan why the company did not contact customers individually about the data breach.
Mulligan replied that the company does not have contact information for all of the customers that may have been impacted.
“So you were depending on the public for your notice,” she said, referring to news reports about the breaches.
While pushing the retail representatives for more information on the breaches, committee members thanked the companies for testifying on the topic.
“It’s not easy to be the face of the industry that really bears the responsibility for, what I see, as a record of failure,” Sen. Richard BlumenthalRichard BlumenthalOvernight Tech: AT&T, Time Warner CEOs defend merger before Congress | More tech execs join Trump team | Republican details path to undoing net neutrality Overnight Energy: Trump taps EPA foe to head agency | Energy reform bill officially dead CNN’s parent company promises to defend journalistic independence MORE (D-Conn.) said.
Earlier on Tuesday, Blumenthal — along with Sen. Ed MarkeyEd MarkeyGreens slam Trump’s Interior Department pick Senate sends annual defense bill to Obama's desk Overnight Cybersecurity: Fed agency IT report cards | Senate Dems push for briefing on Russia hacks MORE (D-Mass.) — announced a data security bill that would establish “a process for helping companies to establish appropriate security plans to safeguard sensitive consumer information” and require “companies to promptly notify consumers after a breach has occurred.”
The retail representatives said they would support data security and breach notification standards crafted with input from the companies that would follow those standards.
“I think guidelines and standards are always helpful, particularly in this case,” Kingston said.
“Private industry and government have to work together here,” Mulligan said, adding that Target has been compliant with law enforcement officials.