Senate Democrats pushed for a set of standards governing how companies defend against and respond to data breaches.
The repeated calls for data security and breach notification standards at a Senate Judiciary Committee hearing Tuesday. The hearing included representatives from Target and Neiman Marcus, both of which suffered from data breaches affecting millions of consumers in recent months.
“We want to give you a framework … that protects consumers, so they know what their rights are … but also protects businesses,” Senate Judiciary Chairman Patrick LeahyPatrick Joseph LeahyOvernight Energy & Environment — Presented by the American Petroleum Institute — Democrats address reports that clean energy program will be axed Overnight Health Care — Presented by Carequest — Colin Powell's death highlights risks for immunocompromised On The Money — Democrats tee up Senate spending battles with GOP MORE (D-Vt.) said. Last month, Leahy introduced a bill that would impose criminal penalties for companies that fail to notify customers after a data breach.
Strong data security protections are going to be necessary to ensure that U.S. consumers trust the companies processing their data, Leahy said.
The country’s economy is “slowly recovering,” he said, “but without that credibility, we can’t do it.”
Senate Judiciary ranking member Chuck GrassleyChuck GrassleyBipartisan lawmakers target judges' stock trading with new bill Another voice of reason retires Overnight Health Care — Presented by Carequest — FDA moves to sell hearing aids over-the-counter MORE (R-Iowa) seemed optimistic that a set of flexible rules could be crafted, “as opposed to burdensome government regulation.”
“We’re all trying to find the same solution” to address the need for consumer data protection, he said.
During the hearing, Federal Trade Commission Chairwoman Edith Ramirez spoke to her agency’s recognition of this need for flexibility.
While “it’s important that customers be notified reasonably promptly,” — usually within 60 days — the FTC understands if companies need to delay notification to comply with ongoing law enforcement investigations, she said.
Sen. Dianne FeinsteinDianne Emiel Feinstein Ban on new offshore drilling must stay in the Build Back Better Act Senate GOP signals they'll help bail out Biden's Fed chair Jane Fonda to push for end to offshore oil drilling in California MORE (D-Calif.) said companies need to inform customers after data breaches and pushed the witnesses for more information regarding when the companies found out about the breaches and what steps they took to respond.
“I am a shopper at your institution, and I don’t recall getting any notice,” Sen. Dianne Feinstein said to Neiman Marcus Chief Information Officer Michael Kingston.
Feinstein also asked Target Chief Financial Officer John Mulligan why the company did not contact customers individually about the data breach.
Mulligan replied that the company does not have contact information for all of the customers that may have been impacted.
“So you were depending on the public for your notice,” she said, referring to news reports about the breaches.
While pushing the retail representatives for more information on the breaches, committee members thanked the companies for testifying on the topic.
“It’s not easy to be the face of the industry that really bears the responsibility for, what I see, as a record of failure,” Sen. Richard Blumenthal (D-Conn.) said.
Earlier on Tuesday, Blumenthal — along with Sen. Ed MarkeyEd MarkeyOvernight Energy & Environment — Presented by American Clean Power — Dems see path to deal on climate provisions Democrats say they have path to deal on climate provisions in spending bill TikTok, Snapchat seek to distance themselves from Facebook MORE (D-Mass.) — announced a data security bill that would establish “a process for helping companies to establish appropriate security plans to safeguard sensitive consumer information” and require “companies to promptly notify consumers after a breach has occurred.”
The retail representatives said they would support data security and breach notification standards crafted with input from the companies that would follow those standards.
“I think guidelines and standards are always helpful, particularly in this case,” Kingston said.
“Private industry and government have to work together here,” Mulligan said, adding that Target has been compliant with law enforcement officials.