Lawmakers agree that further legislative protections are needed to prevent the kind of breaches that brought Target and Neiman Marcus to their knees.
Several senators repeated calls for legislation to ward off massive data thefts during a hearing Monday to review the vulnerability of the nation's digital-payment systems, the first in a trio of sessions this week examining the enormous breaches sustained recently at retailers around the country.
Sen. Elizabeth Warren declared that Congress needed to adopt tighter data-security protections and heighten the Federal Trade Commission's authority to police businesses failing to adequately protect consumer data.
"The FTC should have the enforcement authority it needs to protect consumers and it looks to me like it doesn't have that authority right now," Warren, a Massachusetts Democrat, said during a Senate Banking subcommittee hearing. "Data-security problems aren't going to go away on their own, so Congress seriously needs to consider whether to strengthen the FTC's hand."
The FTC has the authority to punish "unfair" business practices, a standard that continues to remain legally murky. While the FTC has used the standard to go after some companies that have failed to ensure adequate data-security standards, pending legal challenges levied by Wyndham Hotel and LabMD seek to challenge the authority.
"You're describing a fairly demanding standard, since as you say, it's more than breach, more than the fact that people have been injured, more than the fact that a company had very lax standards," Warren told Jessica Rich, director of the FTC's Bureau of Consumer Protection, during the hearing. "This is a real problem, that the FTC's enforcement authority in this area is so limited."
Rich largely agreed with Warren's admonitions, noting that "that's one of the reasons we're supporting general data-security legislation."
Subcommittee Chairman Mark Warner, a Virginia Democrat, repeatedly called for quick action to upgrade security features on plastic card payment methods as a stopgap measure to prevent further data breaches from occurring. He hammered home his conviction that debit and credit cards need to have the same standards of data protection. Currently, credit cards typically afford more protection.
"It would seem to me that equalizing cards on the same standard makes a lot of sense," Warner said. He then asked the second panel to "give me a reason why" the two plastic forms of payment shouldn't be aligned in their protective measures. All witnesses agreed.
But Warner also cautioned that upgraded technology—so-called chip and PIN protections—could only serve as an interim solution and would only be partially effective for online shopping.
Senators and witnesses alike agreed that more needed to be done to secure customer data to prevent more wide-scale breaches, both at retail stores and in online shopping.
"Our card-payment system is outdated and prone to attack," noted James Reuter, executive vice president of FirstBank. "The fraudsters rely on our systems being so porous."
Some steps, like ensuring people use more-complex passwords, are relatively easy matters of customer education.
But more-complicated challenges, such as varied state reporting requirements when a data breach occurs, serve to undercut consumer protections. Congress is considering legislation that would create one federal reporting standard. Separately, Ranking Member Mark Kirk, an Illinois Republican, said he planned to introduce legislation that would mandate a 25-year prison sentence for those found guilty of violating federal data-theft law.
The Senate subcommittee meeting is the first of three Congress is holding this week to examine consumer data vulnerabilities in the wake of colossal breaches at national retail chains. Executives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday, and will do so again Wednesday in front of a House Energy and Commerce subcommittee.
Target's breach was the first in an avalanche of data thefts to come to light in recent months, a heist that stole the names, addresses, phone numbers, and credit-card information of as many as 110 million customers.