WASHINGTON — Target executives came to Capitol Hill on Tuesday to defend the company’s handling of last year’s data breach, and found themselves in a protracted debate over what — if anything — lawmakers can do to prevent something like it from happening again.
Hackers stole financial and personal information from up to 110 million Target customers in the weeks after Thanksgiving, making it one of the largest data breaches in history and practically forcing Congress to add consumer financial data to the docket of personal privacy issues it is considering this term.
Lawmakers called their first round of hearings on the matter this week and they’re focusing on one key question: What should be done to keep something like the Target breach from happening again?
Industry: Move to the ‘chip and PIN’
Target CFO John Mulligan told the Senate Judiciary Committee Tuesday that Target backs an industry-favored solution: creating safer “smartcards,” which embed consumer data in a chip within debt or credit cards and require users enter a PIN before that information is accessed for transactions. Mulligan said Target tried to adopt the technology 10 years ago for its debit cards but couldn’t do so without the rest of the industry going along with them.
“It’s technology like that that we think are important and we’re committed to moving forward and accelerating our efforts in that area,” he said.
There’s a bit of a blame-game going on here: Retailers are essentially pinning their hopes for new privacy provisions on these cards and the financial companies that issue them. They say the cards been successful in Europe, where they’re much more prevalent, having reduced financial losses in Great Britain by two-thirds since 2004.
Credit companies warn that new cards can’t protect against all types of data breaches: the system wouldn’t have protected Target customers, for example, since the malware that captured some of the consumer data this time was within Target devices, not the affected cards themselves.
Even so, the credit companies are planning to switch over to the new cards by fall 2015, which retailers and consumers groups say will help protect users, even if the latter wants the timeline sped up a bit.
But there are some barriers. For one, it’s an expensive transition for retailers — Target said it’s spending $100 million to adopt the new technology. And, in order to protect both consumers and individual companies from becoming fraud targets, everyone in the banking, financial and retail industries would have to move forward together for the system to be most effective.
But consumer advocacy groups, like the Consumers Union, have said the new privacy protections outweigh the costs, and that Congress could step in and compel the financial and retail industries to switch over to the new cards.
“We need a stronger commitment from all stakeholders to adopt this technology sooner rather than later,” Consumers Union policy counsel Delara Derakhshani said.
Sen. Amy Klobuchar, for one, said that might be the way to go.
“There does seem to not be a solution that’s a perfect panacea,” she said. “There seems to be a different kind of way to do these cards, with the chip-and-PIN, that would greatly reduce these kinds of data breaches. You didn’t really hear a lot of dissent on that. The only dissent is: How far does Congress push to get that done? I’m more in favor of pushing it.”
On Monday, the National Retail Foundation made a separate pitch, arguing that the retail industry needs to work both within itself and with banks and credit agencies to research new ways to crack down on cyber crime. The group established a “Cybersecurity and Data Privacy Initiative,” with three goals: broaden security efforts, better inform the public of those efforts, and “build and maintain consumer trust.”
Kingston, the Neiman Marcus executive who testified beside Target about his company’s own data breach in January, said there would need to be some type of public-private collaboration to maximize those efforts.
“Collectively, all of those actors, all of those stakeholders who have intelligence and are able to share that with the community, if we can encourage more of that information sharing, it could help us try to keep up with this problem,” he said.
Bipartisan support for new notification standards
Lawmakers dove head first into consumer financial fraud this week. Mulligan and Kingston will testify at a second hearing, this time in the House, on Wednesday, and the Senate Banking Committee is holding two separate hearings of its own.
Consumer data protection is one area where there’s occasional bipartisan support, although that support has rarely translated into actual legislation. It just hasn’t been a high priority for lawmakers, Consumers Union deputy director David Butler said.
“Unfortunately, it took a big, high-profile event like the Target breach to really put the spotlight on this issue,” he said.
The retail industry hasn’t been too welcoming either, Sen. Al Franken said. But he said the Target breach should change their tune.
“I think now, this may be the moment where we can go forward with it and be more successful,” he said.
Klobuchar and Franken have signed on to a bill introduced by Vermont Sen. Patrick Leahy after the Target breach to mandate better security measures for organizations that store consumer information, enhance prosecution for those behind the thefts and establish a national standard for data breach notifications.
There is no federal law requiring credit companies to alert users when a data breach happens, though most states have one in place, and a national standard won bipartisan support on Tuesday.
There are other bills in the works as well. Sen. Richard Blumenthal introduced a bill on Tuesday morning that would both expand notification and information sharing and create a guide for companies to safeguard customer data.
But here’s where the bipartisanship tends to fall apart. Iowa Sen. Chuck Grassley, the ranking Republican on the Judiciary Committee, wholeheartedly endorsed new notification standards, but stopped short of doing the same for security. Sen. Mike Lee (R-Utah) wondered if some security standards might handcuff companies to old policies as technology evolves.
“I do not believe that we can solve this whole problem by codifying detailed, technical standards or with overly cumbersome mandates,” said Nebraska Republican Rep. Lee Terry, who is chairing Wednesday’s Target hearing.
Industry officials seemed skeptical of such a plan, too.
“I think the thing that we have to keep in mind is that the cyber security threat landscape continues to evolve every day,” Kingston said. “As soon as we established the standards, the whole world knows about it and that gives them the ability to try to come up with ways to defeat those standards.”
More hearings Wednesday
Lawmakers haven’t committed to passing anything yet — this week is mostly about oversight, with legislative wrangling to come later. But Rep. Jan Schakowsky, an Illinois Democrat who sits on the House panel hearing from Target on Wednesday, said she expects Congress will have to act on something, even if it doesn’t completely solve the problem of data breaches.
“I do think Congress can play a role, but that’s not going to get rid of all this,” she said. “Fraudsters are always adapting to new technology.”
Consumer advocates like Derakhshani said the Target breach should push Congress to move on data privacy, whether it’s something as simple as new notification standards or pushing for safer cards. On that, lawmakers seemed to agree.
“If there’s anything we’ve learned from this major, major breach, it’s that we can no longer do nothing,” Klobuchar said. “We have to take action.”
Devin Henry can be reached at firstname.lastname@example.org. Follow him on Twitter: @dhenry