Banks urged to get faster at reporting cyber breaches

An industry group representing the largest financial institutions said banks hit by cyber intrusions should immediately notify federal officials and affected customers, amid controversy over Citigroup's decision to wait weeks before informing account holders of a significant breach.

The White House recently introduced legislative language that would allow a much longer grace period to inform consumers of data theft. The measure, which is part of a comprehensive proposal to strengthen U.S. network security, would replace a hodgepodge of 47 conflicting state laws with one national requirement to notify people whose personal information has been compromised within 60 days of detecting a breach.

On Tuesday, during a Senate Banking Committee hearing on cybersecurity in the financial sector, Sen. Robert Menendez, D-N.J., asked a Financial Services Roundtable official if he thought a month would be an appropriate deadline for notification. The reply he received seemed almost critical of Citi's behavior.

"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way that those customers can begin to take action to protect themselves," said Leigh Williams, president of BITS, a roundtable division that works to garner consumer confidence in e-commerce.

Menendez said, "I appreciate that answer because of what I can perceive of Citi's response -- that was not the case."

Citigroup delayed notification for nearly one month. On May 10, Citi discovered that roughly 360,000 North American credit card customers had been affected by a data breach, and began informing those account holders on June 3, according to the bank.

"The majority of accounts impacted were identified within seven days of discovery," Citi officials said in a June 15 statement. "Notification letters were sent beginning June 3, the majority of which included reissued credit cards."

An Obama administration official testified that companies that hold off reporting incidents until they have a full description of the cyber events may be more helpful to federal agents, although such details should be released as soon as possible.

"I think the administration's proposals on data breaches lay out specific timelines that we think are enough time for institutions to have that information," said Pablo A. Martinez, Secret Service criminal investigative division deputy special agent in charge. For law enforcement investigations, when an organization can relay "a more clear, concise and exact set of events [that] helps us significantly instead of getting dribs and drabs of information."

Menendez noted that Tuesday's hearing was timely on a personal level because hackers currently are targeting Senate aides with a phishing scheme, which lures them to open attachments or click on links to phony websites that steal personal information.

"A widespread phishing campaign is being targeted on Senate staff with a false [Internal Revenue Service] statement," he said. "This is a constant challenge and clearly the United States Senate is not immune from it."