The Target (TGT +3.17%) data breach has affected more than 70 million consumers, and one industry expert thinks Congress can do two critical things to help ensure every American is protected.
Last week, the Commerce, Manufacturing, and Trade Subcommittee of the House Energy and Commerce Committee announced that Target has agreed to testify on Capitol Hill as part of an early February hearing intended to "examine data breaches and their effect on consumers."
Source: Flickr / Key Foster.
"By examining these recent breaches and their consequences on consumers, we hope to gain a better understanding of the nature of these crimes and what steps can be taken to further protect information and limit cyber threats," Reuters quoted the panel's chairman, Rep. Lee Terry (R-Neb.), as saying.
In a recent interview with Jason Oxman, CEO of the Electronic Transactions Association, I asked what critical steps Congress could take to ensure that American consumers' information is protected. Oxman's trade organization represents the payments technology industry, and its 500 members process more than $4 trillion in payments annually.
Focused law enforcement resources
"Clearly the Target breach and other cybersecurity breaches we've seen recently are the product of very sophisticated international criminal syndicates that tend to congregate in Eastern Europe," Oxman said.
"One thing that Congress could do is really focus law enforcement resources on breaking up those international criminal syndicates, ensuring they are not getting any support or cover from the countries in which they operate, and trying to bring to justice some of these criminals who are really out there causing a lot of harm to merchants," he continued.
Consider that in its 2013 Data Breach Investigations Report, Verizon noted that 92% of 621 data breaches it studied were the result of external actors outside of the victim organization, versus just 72% of the 90 seen in 2009. Of those external incidents, more than 55% were the result of organized crime syndicates.
The organized crime groups focused on the finance, retail, and food industries, and 40% of the attacks originated from Romania, Bulgaria, and Russia. Unsurprisingly, their desired data included payment cards, credentials, and bank account information. The study even said, "As economic and social activities continue to go online, criminals will follow in order to exploit the soaring amount of data that can be (all too easily) converted to cash."
Oxman said Congress should use its resources to put together a coordinated effort to stop these international criminals from targeting American consumers, as "part of the larger discussion of cybercrime that targets not only retailers, but other infrastructure here in the U.S."
One law
In addition to focused and targeted efforts against international cybercriminals, Oxman also said a key goal for Congress should be "harmonizing the manner by which consumers are notified of breaches."
He pointed to the recent example of Target's delays in alerting consumers following the holiday season data breach, as well as "Neiman Marcus in particular, which apparently knew about [its own 2013-14] breach for close to a month before it started notifying people."
"There are 46 different state laws that govern the time, place, and manner of breach notification for consumers," noted Oxman. "There should be a single federal law that sets out very clearly to companies that are breached: here is what you have to do, when you have to do it, and how you have to do it."
Sen. Patrick Leahy (D-Vt.).
To this end, Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) in January reintroduced his Personal Data Privacy and Security Act, which he has pushed since 2005. A press release from Leahy's office notes that "the bill would establish a national standard for data breach notification, and require American businesses that collect and store consumers' sensitive personal information to safeguard that information from cyber threats."
Leahy said in the release that the Target data breach was "a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation."
That certainly seems to line up with Oxman's assertion that "if we had that single federal regime for breach notification, consumers would have a lot more protection and the ability to do what they need to do as soon as they need to do it in order to protect themselves from future breaches."
Americans everywhere can only hope the Target breach spurs elected officials to make the appropriate moves to protect them and their information.
