WASHINGTON — The Obama administration's push to create a national standard for when and how banks and other companies must notify customers of a data breach appears to be gaining momentum.
Financial services representatives told a Senate panel on Tuesday they would support the White House’s proposal, which would, among other things, combine a patchwork of 47 state laws on the issue into a federal standard.
Senate Banking Committee Chairman Tim Johnson also appeared supportive of strengthening cybersecurity laws, saying recent high profile data breaches within the financial services sector and elsewhere underscore the importance of the issue.
“Breaches are disruptive and raise the potential for financial fraud, identity theft and, potentially, severe threats to our national economic security,” Johnson said.
Citigroup Inc. was the most recent high-profile data breach, after it disclosed that a hacker had accessed customer information for more than 360,000 credit card accounts last month.
Lawmakers have criticized Citigroup for waiting nearly a month to disclose the breach. The bank said it discovered the breach on May 10 during routine maintenance, but didn’t begin notifying customers until June 3.
Sen. Robert Menendez, D-N.J., said there have been 288 publicly disclosed breaches at financial services companies in the last six years that exposed at least 83 million customer records
“I’m concerned about what are the financial institutions doing, number one, to enhance their position against cyber security attacks, and number two, when there is a breach, what are they doing in their fiduciary responsibility to notify their customers of those breaches,” said Menendez, who introduced his own cybersecurity bill earlier this month.
He pressed witnesses to say whether Citi should have come forward sooner.
Leigh Williams, the president of BITS, the technology policy division of the Financial Services Roundtable, said banks have a responsibility to notify customers of breaches as quickly as possible.
“I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators under regulatory rules,” Williams said. “And they have a fiduciary and a business responsibility to notify customers if there is any way that the customer can begin to take action to protect themselves.”
Williams said the industry has invested tens of billions of dollars in cybersecurity and is continually improving its ability to repel cyber attacks.
But Marc Rotenberg, the executive director of the Electronic Privacy Information Center and a law professor at Georgetown University, said customers are seeing more and more data breach notifications.
“These problems are going to get worse,” Rotenberg said. “As more sensitive data moves into the cloud, we become more dependent on electronic financial records, and more companies store vast amounts of consumer data on remote servers, the risk that personal data will be improperly disclosed or accessed will necessarily increase.”
Rotenberg said any new cybersecurity legislation should apply breach notification requirements to financial institutions, require authentication techniques that reduce risk to consumers and should not preempt stronger state laws.
The administration proposal, released May 12, would beef up penalties for cyber crimes by synchronizing them with other laws, such as the Racketeering Influenced and Corrupt Organizations Act, or RICO, which is often used to fight organized crime but doesn’t apply to cyber crimes.
It would provide voluntary federal assistance to states and local governments to prevent cyber attacks, and would coordinate information sharing among them. It would also direct the Department of Homeland Security to identify critical infrastructure, such as electricity grids and the financial sector, and work with industries to develop cybersecurity plans.
Stuart Pratt, the president and chief executive of the Consumer Data Industry Association, stressed that any legislative proposals should align with existing laws and regulations.
“It is important for new laws not to impinge on frameworks of law which already establish the necessary focus on data security,” Pratt said. “Such conflicts are not inevitable and do not have to impede the passage of new cybersecurity protections.”
For example, Pratt said the group favors a national breach notification standard, but said lawmakers should avoid “arbitrarily overwriting existing national standards” already in effect, such as guidance already issued by bank regulators.
Williams said BITS also supported the administration’s plan.
“Strong legislation can catalyze systemic progress in ways that are well beyond the capacity of individual companies, coalitions or even entire industries,” Williams said. “We urge the committee and the full Congress to leverage existing financial services protections and circumstances, and their analogs in other sectors, while preserving the comprehensive quality of the proposal.”