|April 2, 2014|
Previously published on March 28, 2014
Senator Jay Rockefeller released a report detailing missed opportunities to improve security and vulnerable security methods which allegedly contributed to the data breach suffered by Target Inc. The report is based on information from reports and expert witnesses related to the recent high-profile data beach. The breach occurred during the 2013 holiday season when hackers installed malware on Target’s computer network that allowed them to siphon the information and payment-card data of as many as 110 million customers. The information was removed from Target’s servers and routed to a server in Eastern Europe, after initially being rerouted to various servers within the United States. Target publicly announced the breach December 19, 2013. Since the announcement, bills addressing data breaches and cybersecurity have been introduced in Congress and several hearings have been held in an effort to promote improved data security measures.
Rockefeller, who introduced a data breach bill earlier this year, presented the Target analysis in an effort to continue discussions on data security. The report was followed by a hearing this week that included representatives from Target and University of Maryland (UMD), which also suffered a recent data breach. During the hearing, UMD’s president, Wallace Loh, highlighted the differences in data protection between the private sector and public institutions, with universities having to balance important considerations of open access and the free exchange of ideas with maintaining data security for sensitive personal information. He also argued that the costs of data protection measures being discussed - and mandated responses to breaches, like offering free credit monitoring - “would bankrupt most universities.” He called for a federal data breach law.
FTC Chairwoman Edith Ramirez also spoke at the hearing. Saying “companies are underinvesting when it comes to data security,” she urged Congress to grant enforcement authority to the FTC. Ramirez claimed that allowing FTC to seek civil penalties for data breach violations would serve as a deterrent and would ensure that companies protect consumers’ personal information. Apart from possible federal and state enforcement actions, several lawsuits have already been filed against Target by putative classes and even financial institutions. With the growing spotlight on data security, businesses need to check technical security measures, evaluate best practices, and monitor the political landscape for potential new requirements.