Attorney General Eric Holder is urging Congress to require companies to promptly alert consumers and law enforcement authorities to significant data breaches.
The legislative push by the nation's top prosecutor comes as lawmakers, law enforcement authorities, banks and retailers are assessing cyber security in the wake of recent data thefts at Target Corp. and other companies that exposed the personal information of millions of consumers.
"Today, I'm calling on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised," Holder said, according to a transcript of videotaped remarks to be posted on the department's website today.
Holder pointed to no specific piece of legislation in his comments. Lawmakers, who have held hearings over the last month on consumers' vulnerability to cyber attacks, have proposed several measures to address the issue, including setting national database security standards and creating standards for data theft reporting.
Bankers and retailers have been at odds over responsibility for losses from cyber theft, with about $40 billion of revenue earned by card issuers including JPMorgan Chase & Co., as well as the profits of Target and other retailers affected by the breaches at stake.
In testimony before the Senate Judiciary Committee on Feb. 4, a top Justice official urged Congress to adopt a 2011 White House proposal that would require business to alert the federal government to data breaches.
The Obama administration's proposal would also require certain businesses to notify individuals whose data is stolen in a way that balances safeguarding consumers with "setting clear standards that avoid undue burdens on industry," said Mythili Raman, the Acting Assistant Attorney General of the department's criminal division.
Under the proposal, only businesses that store, access, transmit or collect identifiable information on more than 10,000 people would be required to alert individuals about data breaches. Businesses with "effective" data breach prevention programs would then be exempt from notifying individuals about a theft if it was determined that individuals were not likely to be harmed by it, Raman said in written testimony.
The issue of data theft gained national attention after Minneapolis-based Target confirmed in December that hackers stole credit and debit card data for as many as 40 million consumers who shopped in its stores. The nation's second-largest retailer later said that hackers also swiped home and e-mail addresses for as many as 70 million customers. Closely held Neiman Marcus Group Ltd. also suffered a hacker attack that exposed personal data of customers.
The U.S. Secret Service is investigating the thefts.
Existing federal law on data breaches is tougher on banks than on retailers. A 1999 law requires financial institutions to notify customers of data breaches. No such federal notification requirement exists for retailers, who instead follow notification laws in 46 states.
Lawmakers have begun to introduce legislation dealing with the problem. Senators Tom Carper, a Delaware Democrat, and Patrick Leahy, a Vermont Democrat, have re-introduced data- security bills. Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat, offered a new measure on Jan. 30 for customer notifications.
Shawn Henry, a former top FBI agent who oversaw the bureau's cyber crimes branch, said the government needs to specify what it hopes to accomplish by requiring companies to report breaches.
"There needs to be a plan that says what is the objective of reporting the data, what does the government do with the data when it has it, and what does the government give back to the private sector," said Henry, now president of CrowdStrike Services, a technology security firm. "The private sector needs to know what the expectations are."
