Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, March 27, 2014

Rockefeller calls industry’s attempts at data breach prevention disingenuous at hearing

By J. Preston Carter, J.D., LL.M.

“It’s time to come to the table. Be willing to compromise,” Sen. John D. Rockefeller (D-WVa), chair of the Committee on Commerce, Science, and Transportation, told companies that collect detailed information about their customers. In his opening statement at his committee’s hearing titled, "Protecting Personal Consumer Information from Cyber Attacks and Data Breaches," Rockefeller said that in this era of “big data,” companies are routinely collecting “reams of information about us as we go about our daily lives.”

“For nearly a decade,” Rockefeller said, “we’ve had major data breaches at companies both large and small. Millions of consumers have suffered the consequences. While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry’s disingenuous attempts at negotiations.”

Rockefeller noted that, as a measure against data breaches and cyber attacks, he has introduced legislation (“The Cybersecurity Act of 2013,” S 1353) that would build on the “long, well-established history of the Federal Trade Commission and state attorneys general in protecting consumers from data breaches.” Rockefeller said he was not willing to “forfeit the basic protections American consumers have a right to count on.”

Thune and Ramirez urge support for federal breach notification law. Committee ranking member Sen. John Thune (R-SD) expressed his support for a uniform federal breach notification standard “to replace the patchwork of laws in 46 states and the District of Columbia.” He argued that a single federal standard would provide consistency and certainty regarding timely notification practices, which benefits both consumers and businesses. Thune has introduced the “Data Security and Breach Notification Act of 2013” (S.1193), which would require companies possessing personal data to notify consumers in a timely manner if their information has been unlawfully taken.

Federal Trade Commission Chairwoman Edith Ramirez told lawmakers that the FTC believes Congress should act, particularly in light of the significant data breaches reported over the course of recent months. “The Commission is here today to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law,” she said. “Never has the need for legislation been greater.” Ramirez also called for legislation to give the FTC the authority to seek civil penalties to help deter unlawful conduct, rulemaking authority under the Administrative Procedures Act, and jurisdiction over non-profit entities, which are not currently subject to FTC oversight.

Target responds. John Mulligan, Executive Vice President and Chief Financial Officer of Target, apologized to the committee and his customers for its recent data breach. In response, he said, his company is “further strengthening our data security based on learnings from an end-to-end review of our system.” Mulligan stated that, prior to the breach, Target had invested significant capital and resources in security and that “in September 2013, our systems were certified compliant with the Payment Card Industry Data Security Standards, meaning that we met approximately 300 independent requirements of the assessment. Yet the reality is that our systems were breached.” Mulligan affirmed that “Protecting American consumers is a shared responsibility and requires a collective and coordinated response. Target remains committed to being part of the solution.”

University data security needs updating. In response to a recent data breach at the University of Maryland, its president, Dr. Wallace D. Loh, said that many university databases were created years ago and need to be updated. Also, universities should perform tests of security defense on an ongoing basis to seal any possible technological gaps. Finally, Loh said there must be an “appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems.”

Data security as a core responsibility. “Simply as a result of more transactions, data and devices going online, and without changes to the security posture of our most important industries and infrastructure, cybercrimes will continue to increase in frequency and potency,” said David Wagner, President of Entrust, a company that secures and protects digital information. He said that “over the past decade we have significantly advanced our understanding of the threat landscape and best practices.” Wagner added that that there are opportunities to turn this understanding into action and that this “needs to be a Federal priority and we need to move forward now.”

Wagner proposed harmonizing breach notification laws so that enterprises and consumers alike know what is expected of them. He said the federal government needs to continue to foster the adoption of best practices across both the public and private sectors. Finally, he said, “we must change the cybersecurity culture. Enterprises—large and small, public and private—need to embrace information security governance as a core responsibility.”

Cyber insurance. “[I]nterest in cyber insurance is expanding rapidly,” according to Peter J. Beshar, Executive Vice President and General Counsel of Marsh & McLennan Companies, the world’s largest insurance broker. He said the concept of cyber insurance was first introduced in the 1980s, when insurers began providing coverage for computer failures at banks and other Fortune 500 companies.

Beshar said there are three core types of cyber insurance:

  1. the most basic, which provides protection for out-of-pocket expenses that a company incurs in the wake of a data breach—these expenses include notifying affected individuals, setting up call centers, and providing credit monitoring;
  2. coverage that protects companies if their computer network is effectively shut down for days or longer—with this broader business interruption coverage, a company can recover the actual harm it suffers in the form of lost profits; and
  3. coverage for harm caused to an insured’s clients, customers, and consumers as a result of a significant breach—third-party coverage.

According to Beshar, interest in cyber insurance is expanding most rapidly in the health care, education and financial services industries, all of which handle a large volume of sensitive personal information. He said that cyber insurance is one of many elements of a “comprehensive risk mitigation strategy,” He concluded, “Our success in combatting this dynamic and evolving threat will depend on continued collaboration between government, industry and the non-profit sector.”

Visa says move from data protection to data devaluation. Ellen Richey, Chief Enterprise Risk Officer and Chief Legal Officer of Visa Inc., told the committee that, because no industry can be completely secure all the time, Visa is working with others in the industry toward moving from a data protection to a data devaluation approach. “If the data available in the merchant environment could no longer be reused to commit fraud, then criminals would have no reason to steal it, and merchants would no longer be targeted by criminals seeking to commit payment fraud.”

Richey said this approach relies on three technologies: the EMV chip, which is a microprocessor that can be embedded in plastic payment cards, that generates a one-time-use code for each transaction, and that is nearly impossible to counterfeit; tokenization, which uses a unique digital token that is tied to and replaces the accountholder’s 16-digit account number in a payment transaction; and point-to-point encryption, which can be implemented to secure data as it is transmitted from one point to another throughout the transaction processing environment.

Richey also explored public policy considerations. She said the government can help create a safe environment to share cyber threat information and work with the international community to improve cooperation among law enforcement agencies. She also encouraged the development of a uniform federal data breach notification standard. Finally, Richey cautioned against “legislating technology standards or mandating a specific security or payment technology.” She believes this would hinder the rate of new payment tools innovations that are coming to market.

Companies: Entrust, Inc.; Marsh & McLennan Companies; Target; University of Maryland; Visa Inc.

MainStory: TopStory BankingOperations CreditDebitGiftCards IdentityTheft Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.