Menendez Seeks Quicker Data Breach Notices from Banks

Menendez said he was bothered by how long it took Citigroup to tell customers, including his chief of staff, about the recent data breach. “The one thing I'm still alarmed at is timely notice to customers,” Menendez said. “I'd like to see an industry response to that, but in the absence of that,” legislation may be needed. Banking Committee Chairman Tim Johnson, D-S.D., said: “Breaches are disruptive, raise the potential for financial fraud and identity theft,” and pose “severe threats to national economic security."

Financial institutions take consumer notification “very seriously,” said BITS President Leigh Williams of the Financial Services Roundtable. “As soon as an institution understands what has occurred, they have an obligation to notify their regulators … and they have a fiduciary and a business responsibility to notify customers if there’s any way that those customers can begin to take action to protect themselves.” Financial institutions are investing “tens of billions of dollars” in cyberprotection, Williams said. “I can’t promise you that there will never be another breach of financial services, but I can tell you we constantly improve our ability to repel these attacks and we constantly improve our ability to protect against inconvenience and any financial loss on the part of customers."

Financial entities may be spending a lot of money to safeguard data, “but what consumers are seeing are more and more breach notifications, more and more warnings that their credit card information is in the hands of others [and] more and more recommendations that they may need to change their bank account numbers,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “We have a problem, and this problem is getting worse."

The U.S. Secret Service supports cybersecurity legislation proposed by President Barack Obama, said Pablo Martinez, deputy special agent in charge of the U.S. Secret Service Criminal Investigative Division. The plan “will better equip law enforcement agencies … with additional tools to combat transnational cybercrime by enhancing penalties against criminals that attack critical infrastructure and adding computer fraud as a predicate offense” under the law. The Financial Services Roundtable supports the Obama administration proposal because it’s a comprehensive approach that addresses the entire ecosystem and within specific sectors like financial services, Williams said.

One national law would be better than the existing patchwork of state laws about cybersecurity and data protection, Martinez said. Kevin Streff, director of Dakota State University’s Center for Information Assurance, added that inconsistencies among laws are confusing consumers. Rotenberg agreed it’s easier to administer one national standard, but said “it’s very important to look at the practical effect when a low national standard removes higher state safeguards.” But Williams said that industry by itself would go above and beyond the baseline set by a national law.

New cybersecurity law shouldn’t “impair or impinge on effective laws that already address risks in the financial services sector,” said Consumer Data Industry Association President Stuart Pratt. An additional set of requirements could burden businesses, he said. “Alignment is key.” Lawmakers should “appreciate” existing protections set up by government-industry collaborations, said Williams.

Small- and medium-sized businesses are especially vulnerable to cyber attacks, said Streff. He estimated that 70 percent of those types of companies lack “basic security controls.” And 85 percent of cyber attacks target small businesses, he said. “The keys are laying there on the small business desk and the crooks are picking them up and simply logging into the bank and doing nefarious activity.”