WASHINGTON – "American consumers deserve to know when their private information has been compromised and what a business is doing in response to a cyberattack," Sen. Patrick Leahy (D-Vt.) said during a Tuesday Senate Judiciary Committee hearing.
The hearing follows recent data breaches at Target and Neiman Marcus. Target CFO John Mulligan and Neiman Marcus Group Chief Information Officer Michael Kingston were among those that testified during the hearing, "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime."
After an attack, "time is of the essence for law enforcement seeking to catch the perpetrator, and also for consumers who want to protect themselves against further exposure," Leahy added.
Leahy, who chairs the committee, early this year introduced the Personal Data Privacy and Security Act, which would establish consumer data security standards for companies, and require them to notify consumers when a data breach has occurred.
Merchants and the financial services industry will need to move together collectively as data security issues are addressed and the payment system is upgraded, Mulligan told legislators. He said his firm is working closely with federal investigators to catch data breach perpetrators.
While Mulligan advocated for the adoption of chip and PIN technology by card providers and merchants alike, another witness, Symantec Corporation SVP of Security Product and Services Fran Rosch, said chip and PIN is not a panacea but is a step in the right direction.
Sen. Diane Feinstein (D-Calif.) noted that she introduced a data breach notification bill as early as 2003, but said the bill did not make progress. Companies strongly fought the bill, she said. Any data security bill that moves forward in the U.S. Congress must contain data breach notification provisions for customers, Feinstein said.
CUNA has called on Capitol Hill lawmakers to ensure that consumers know where their information was breached. CUNA has also urged lawmakers to follow two other basic principles as they consider data security fixes: all participants in the payments system should be responsible and be held to comparable levels of data security requirements; and those responsible for the data breach should be responsible for the costs of helping consumers.
These points were raised in letters sent for the record of data security hearings held this week.
CUNA's data security letter to lawmakers is available here.