Senate Dems push data security standards

Senate Democrats pushed for a set of standards governing how companies defend against and respond to data breaches.

The repeated calls for data security and breach notification standards at a Senate Judiciary Committee hearing Tuesday. The hearing included representatives from Target and Neiman Marcus, both of which suffered from data breaches affecting millions of consumers in recent months.

“We want to give you a framework … that protects consumers, so they know what their rights are … but also protects businesses,” Senate Judiciary Chairman Patrick LeahyPatrick LeahyImmigration battlefield widens for Trump, GOP Grassley shouldn't allow Senate Democrats to block judicial nominees Trump’s rhetoric and bluster could lose US an ally in Mexico MORE (D-Vt.) said. Last month, Leahy introduced a bill that would impose criminal penalties for companies that fail to notify customers after a data breach.

Strong data security protections are going to be necessary to ensure that U.S. consumers trust the companies processing their data, Leahy said.

ADVERTISEMENT
The country’s economy is “slowly recovering,” he said, “but without that credibility, we can’t do it.”

Senate Judiciary ranking member Chuck GrassleyChuck GrassleyWhite House clarifies: We condemn all violence Republican lawmakers criticize Trump response to Charlottesville Grassley reverses ‘expectation’ of Supreme Court vacancy this year MORE (R-Iowa) seemed optimistic that a set of flexible rules could be crafted, “as opposed to burdensome government regulation.”

“We’re all trying to find the same solution” to address the need for consumer data protection, he said.

During the hearing, Federal Trade Commission Chairwoman Edith Ramirez spoke to her agency’s recognition of this need for flexibility.

While “it’s important that customers be notified reasonably promptly,” — usually within 60 days — the FTC understands if companies need to delay notification to comply with ongoing law enforcement investigations, she said.

Sen. Dianne FeinsteinDianne FeinsteinTrump's Democratic tax dilemma Feinstein: Trump immigration policies 'cruel and arbitrary' The Memo: Could Trump’s hard line work on North Korea? MORE (D-Calif.) said companies need to inform customers after data breaches and pushed the witnesses for more information regarding when the companies found out about the breaches and what steps they took to respond.

“I am a shopper at your institution, and I don’t recall getting any notice,” Sen. Dianne Feinstein said to Neiman Marcus Chief Information Officer Michael Kingston.

Feinstein also asked Target Chief Financial Officer John Mulligan why the company did not contact customers individually about the data breach.

Mulligan replied that the company does not have contact information for all of the customers that may have been impacted.

“So you were depending on the public for your notice,” she said, referring to news reports about the breaches. 

While pushing the retail representatives for more information on the breaches, committee members thanked the companies for testifying on the topic.

“It’s not easy to be the face of the industry that really bears the responsibility for, what I see, as a record of failure,” Sen. Richard BlumenthalRichard (Dick) BlumenthalSenators push FTC to finalize changes to contact lens rule Trump rule change ignites safety debate Blumenthal: ‘No question’ evidence connects Manafort with criminal wrongdoing MORE (D-Conn.) said.

Earlier on Tuesday, Blumenthal — along with Sen. Ed MarkeyEd MarkeySenate Dem: Trump has to stop ‘reckless’ language on North Korea Trump sparks debate over war resolution for North Korea Foreign Relations Dem: North Korea is the modern-day Cuban missile crisis MORE (D-Mass.) — announced a data security bill that would establish “a process for helping companies to establish appropriate security plans to safeguard sensitive consumer information” and require “companies to promptly notify consumers after a breach has occurred.”

The retail representatives said they would support data security and breach notification standards crafted with input from the companies that would follow those standards.

“I think guidelines and standards are always helpful, particularly in this case,” Kingston said.

“Private industry and government have to work together here,” Mulligan said, adding that Target has been compliant with law enforcement officials.