Best views, weather, etc. How to test them 👓 SC, Ala. sites look back Betty Ford honored
NEWS
Target Corp

Obama administration seeks tougher cyber-security law

Donna Leinwand Leger
USA TODAY
A customer signs a credit card statement next to a scanner in a Target store on Dec. 19, 2013, in Miami.
  • The Senate Judiciary Committee holds hearing on preventing data breaches
  • Major breaches at Target and Neiman Marcus examined
  • New technology could curb breaches%2C but costs are a concern

WASHINGTON — The Obama administration recommends a uniform federal standard requiring businesses to quickly report thefts of electronic personal information, acting Assistant Attorney General Mythili Raman told a Senate Judiciary Committee hearing Tuesday.

The hearing explored ways to combat cyber-crime after massive data breaches at major retailers, including Target, which announced it is spending $100 million to expedite transition to "smart" cards with computer chips from the standard magnetic strip credit and debit cards.

"Businesses should be required to provide prompt notice to consumers in the wake of a breach," Raman said. "American consumers should know when they are at risk of identify theft or other harms because of a data security breach."

Executives from Target and Neiman Marcus also testified, detailing their responses to recent breaches. Neiman Marcus Senior Vice President Michael Kingston said the company first learned of a possible problem Dec. 17 when Mastercard told the retailer that 122 fraudulently used credit cards had been used at Neiman Marcus.

On Jan. 2, a forensic team confirmed the data breach, which compromised the accounts of 1.1 million customers, Kingston said.

Sen. Dianne Feinstein, D-Calif., said she is a Neiman Marcus shopper and never received notification of the breach. Kingston said Neiman Marcus notified online and in-store customers Jan. 22.

The law should require more prompt customer notification, Feinstein said.

"The public notification is always vague, it is non-specific," Feinstein said. "Then the customer finds out in other ways, sometimes brutal ways," that their personal data have been stolen.

Federal Trade Commission Commissioner Edith Ramirez testified that the FTC wants a strong federal data security and breach notification law, Although most states have laws, a "strong and consistent national requirement would simplify compliance by business while ensuring that all consumers are protected," she said.

The law, in addition to requiring retailers and other corporations to comply with a federal data security law, should enable the FTC to bring cases and make data security rules for non-profit groups, she said.

"Never has the need for legislation been greater," Ramirez said. "With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act. "

The hearing began with Target Chief Financial Officer John Mulligan apologizing for the data breach that exposed information involving 110 million Target customers.

"We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back," Mulligan told the panel.

Target learned of a potential problem on the evening of Dec. 12 when the Justice Department notified the company of suspicious activity involving payment cards used at Target stores. Mulligan said company officials met with the Justice Department and Secret Service the next day. On Dec. 14, Target hired an independent team of experts to conduct a forensic investigation.

That team confirmed Dec. 15 that "criminals had infiltrated our system, had installed malware on our point-of-sale network and had potentially stolen guest payment card data," Mulligan said. The same day, the company removed the malware "from virtually all registers in our U.S. stores."

The company disabled malware on 25 additional registers Dec. 18, he said. Within a week of discovery of the breach, the public was notified, he said.

"We have been moving as quickly as possible to share accurate and actionable information with the public," Mulligan said, adding that the company had no knowledge of malware in its system before the Justice Department notification.

"Speed is very important in letting consumers know what's going on," but Target also considered the accuracy of the information it could deliver and whether there was anything the consumer could do, Mulligan said. He said an "end-to-end" investigation of the breach continues.

About 40 million Target credit and debit card accounts were breached late last year, compromising customers' credit and debit card numbers, expiration dates, PIN numbers and codes on the cards' magnetic strips. Also stolen was non-card personal information — names, phone numbers and e-mail and mailing addresses — for up to 70 million Target customers.

Consumer Union, the policy and action division of Consumer Reports, is concerned about vulnerabilities in debit cards, which have fewer legal protections than credit cards, policy counsel Delara Derakhshani told the committee.

"While consumers might not ultimately be held responsible if someone steals their debit card and PIN number, data thieves can still empty out consumers' bank accounts and set off a cascade of bounced checks and late fees, which victims will have to settle down the road," Derakhshani said. "The burden is being put on consumers to be vigilant to prevent future fraudulent use of their information."

Although Target, Neiman Marcus and other retailers have offered a year of free credit monitoring for customers whose accounts were breached, Derakhshani said such services have drawbacks. Many of the contracts with the credit monitoring services require consumers to agree to mandatory arbitration, giving up their right to go to court if disputes arise.

A digital chip system can store account information on debit and credit cards. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries.

Derakhshani said widespread adoption of technology would require massive changes that will be expensive for processors and retailers.

Target is a proponent of "Chip and PIN" technology and is moving its stores in that direction, Mulligan said. He said Target's credit card, called REDcards, that use magnetic strips will be replaced with smart cards that use data chips by the first quarter of 2015, six months ahead of previous plans, Mulligan said.

The company will spend about $100 million to replace the cards and install card readers in its 1,800 U.S. stores. The retailer's stock price was little changed late Tuesday, trading at about $55.

Neiman Marcus is "certainly willing to consider anything that will make consumer information safer," Kingston said, but adopting "chip and PIN" will require a lot of work to change software and deploy the technology.

"I think the answer comes down to money," Derakhshani said.

Featured Weekly Ad