recommended reading

Senators Launch Probe of Massive Data Breaches

Sen. Elizabeth Warren declared that Congress needed to adopt tighter data-security protections.

Sen. Elizabeth Warren declared that Congress needed to adopt tighter data-security protections. // Jacquelyn Martin/AP

Several senators repeated calls for legislation to ward off massive data thefts during a hearing Monday to review the vulnerability of the nation's digital-payment systems, the first in a trio of sessions this week examining the enormous breaches sustained recently at retailers around the country.

Sen. Elizabeth Warren declared that Congress needed to adopt tighter data-security protections and heighten the Federal Trade Commission's authority to police businesses failing to adequately protect consumer data.

"The FTC should have the enforcement authority it needs to protect consumers and it looks to me like it doesn't have that authority right now," Warren, a Massachusetts Democrat, said during a Senate Banking subcommittee hearing. "Data-security problems aren't going to go away on their own, so Congress seriously needs to consider whether to strengthen the FTC's hand."

The FTC has the authority to punish "unfair" business practices, a standard that continues to remain legally murky. While the FTC has used the standard to go after some companies that have failed to ensure adequate data-security standards, pending legal challenges levied by Wyndham Hotel and LabMD seek to challenge the authority.

"You're describing a fairly demanding standard, since as you say, it's more than breach, more than the fact that people have been injured, more than the fact that a company had very lax standards," Warren told Jessica Rich, director of the FTC's Bureau of Consumer Protection, during the hearing. "This is a real problem, that the FTC's enforcement authority in this area is so limited."

Rich largely agreed with Warren's admonitions, noting that "that's one of the reasons we're supporting general data-security legislation."

Subcommittee Chairman Mark Warner, a Virginia Democrat, repeatedly called for quick action to upgrade security features on plastic card payment methods as a stopgap measure to prevent further data breaches from occurring. He hammered home his conviction that debit and credit cards need to have the same standards of data protection. Currently, credit cards typically afford more protection.

"It would seem to me that equalizing cards on the same standard makes a lot of sense," Warner said. He then asked the second panel to "give me a reason why" the two plastic forms of payment shouldn't be aligned in their protective measures. All witnesses agreed.

But Warner also cautioned that upgraded technology—so-called chip and PIN protections—could only serve as an interim solution and would only be partially effective for online shopping.

Senators and witnesses alike agreed that more needed to be done to secure customer data to prevent more wide-scale breaches, both at retail stores and in online shopping.

"Our card-payment system is outdated and prone to attack," noted James Reuter, executive vice president of FirstBank. "The fraudsters rely on our systems being so porous."

Some steps, like ensuring people use more-complex passwords, are relatively easy matters of customer education.

But more-complicated challenges, such as varied state reporting requirements when a data breach occurs, serve to undercut consumer protections. Congress is considering legislation that would create one federal reporting standard. Separately, Ranking Member Mark Kirk, an Illinois Republican, said he planned to introduce legislation that would mandate a 25-year prison sentence for those found guilty of violating federal data-theft law.

The Senate subcommittee meeting is the first of three Congress is holding this week to examine consumer data vulnerabilities in the wake of colossal breaches at national retail chains. Executives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday, and will do so again Wednesday in front of a House Energy and Commerce subcommittee.

Target's breach was the first in an avalanche of data thefts to come to light in recent months, a heist that stole the names, addresses, phone numbers, and credit-card information of as many as 110 million customers.

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.