FTC ‘Needs More Tools’ to Fight Data Breaches, Says Rich at Senate Banking Subcommittee Hearing
The need for the FTC to have stronger “tools” to go after cybercriminals was raised at a Senate Banking Committee’s Finance Subcommittee hearing Monday. Senators questioned whether the FTC had the proper authority to pursue criminals and enforce better data security on the part of companies. There was support for Europay, Mastercard and Visa (EMV) technology, which would increase credit and debit card security, but EMV would not have stopped the Target breach, said Edmund Mierzwinski, U. S. Public Interest Research Group consumer program director.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Since reported data breaches at Target (WID Dec 23 p9), Neiman Marcus (WID Jan 14 p8) and Michaels (WID Jan 28 p9), there has been an “exponential rise” in data security concerns, said subcommittee Chairman Mark Warner, D-Va. The debate on data security should not entail “another long-term fight” among bankers, retailers and the card industry, he said. Chip and PIN technology is more “effective” than the current “swipe system,” but it’s not a “silver bullet,” said Warner. “Real potential exposure” for data breaches is for online banking and bank accounts, which have “very few protections, at this point,” he said. Many cybercrimes originate from Eastern Europe and use the Russian language for “operational security,” said William Noonan, U.S. Secret Service deputy special agent in charge of the criminal investigative division.
Sen. Elizabeth Warren, D-Mass., asked whether the FTC is “powerless” to pursue companies with “totally inadequate data standards.” The FTC’s work has brought attention to the issue of data security and has brought some cybercriminals to justice, but “we do need more tools,” said Jessica Rich, FTC Bureau of Consumer Protection director. The FTC supports federal standards for breach notifications and data security, with civil penalties for the latter, she said. That the FTC’s “enforcement authority is so limited” is a “real problem,” said Warren. “It has been a while,” said Rich, when asked by Sen. Jon Tester, D-Mont., about the last time the FTC’s “tools” to go after cyber criminals were “revamped."
FTC data breach investigations “focus on reasonableness” and take into account the amount of data a particular company stores and the “sensitivity” of the data, said Rich, in prepared remarks. There’s not a “one-size-fits-all data security program,” nor does the FTC “require perfect security,” she said. Just because a breach “occurred does not mean that a company has violated the law,” she said. Companies should “limit” the amount of data they collect and “properly dispose” of unnecessary data, along with strengthening data security measures, she said.
The “quality, quantity, and complexity of cyber crimes” continues to increase, said Noonan, in prepared remarks. The “compartmentalization” of data attack operations has “greatly” increased their sophistication, he said. A “poorly understood” fact about data breaches is that the victim companies are “rarely” the first to discover the breach, he said. “Law enforcement, financial institutions, or other third parties” typically “identify and notify the likely victim company of the data breach,” he said.
"No security breach seems to stop the $3 trillion that Americans spend safely and securely” annually with credit and debit cards, said James Reuter, executive vice president of FirstBank, representing the American Bankers Association (ABA), in prepared remarks. Reuter said the ABA “strong supports” the Data Security Act and called the creation of a national data breach standard “essential.” He said EMV technology will enhance card security and the implementation of EMV is “well under way,” with deadlines for implementation by banks and retailers set for late 2015. The banks, retailers, and government have all been “delayed” in implentation of chip and PIN technology, but it’s the consumers who are having their data stolen, said Warren.
Thirty-seven percent of breaches occurred in financial institutions in 2013, while 24 percent were at retail companies, 20 percent in manufacturing, transport and utility companies, and 20 percent in “information and professional service firms,” said Mallory Duncan, National Retail Federation general counsel, citing a Verizon report. It’s “long past time for the U.S. to adopt PIN and chip card technology,” said Duncan. Chip and PIN technology would not have stopped the Target breach, “since unencrypted information was collected from the Target system’s internal RAM memory, after the cards had already been used,” said Mierzwinski.