WASHINGTON Lawmakers kicked off a week of investigations into recent data breaches on Monday and Tuesday, grilling bankers, retailers, government officials and consumer advocates about why the breaches occurred and what can be done to prevent future incidents.
Reports that hackers had stolen credit and debit card numbers, along with other personal information, for as many as 110 million Target customers over the holidays has renewed the cybersecurity debate in Washington, with other merchants, including Neiman Marcus and Michaels, now reporting recent breaches as well.
Below are critical takeaways from the first two congressional hearings on the issue with more discussion already on the way for later in the week.
EMV technology is important, but it's not a panacea
Concerns about data breaches aren't new to the retail and banking industries or to Congress, but the challenges still facing various stakeholders were on ready display. Lawmakers pressed executives from Target and Neiman Marcus about how and when they came to know about cyberattacks against their networks, which initially went undetected for weeks or even months.
John Mulligan, executive vice president at Target and its chief financial officer, acknowledged that the retailer was not aware of a possible breach until it was notified by the Department of Justice in mid-December. John Kingston, senior vice president and chief information officer at Neiman Marcus, said the store learned about problems when MasterCard reported that more than 100 credit cards that had been used there were reported to have fraudulent activity.
Still, the debate at both hearings focused a great deal on actions banks and merchants can take together to improve protections around the use of credit and debit cards, including implementation of chip technology used in Europe and elsewhere around the world to replace the magnetic stripe on the back of most cards today.
Lawmakers pressed witnesses as to why the technology has not advanced more quickly in the U.S., given ongoing concerns about data security.
"I understand that Europe had reasons to go to chip early on, but are you saying that the banks have just now discovered that chip and PIN would be a more secure system? Or have they had some reason to know that for many, many years now?" said Sen. Elizabeth Warren, D-Mass., at a Senate Banking subcommittee hearing on Monday.
The debate also highlighted ongoing tensions between the financial services industry and retailers over whether chips should be paired with a signature or a personal identification number.
"One of my concerns with PIN data is it is a static piece of information. The chip brings the dynamic data to the transaction, which is really what renders the compromised data useless," said James Reuter, executive vice president of FirstBank in Colorado, on behalf of the American Bankers Association. "So I would appreciate and support the ongoing debate on chip and signature, but I would hate to delay the deployment of chip technology on this one issue, because it has the biggest impact on fraud."
But retailers fired back, saying that the two measures need to be deployed together.
"Well, signature is worthless. I mean, your signature is on the back of your card right now. If you lose it, a thief finds it, there's an exemplar there for them to copy your signature," said Mallory Duncan, general counsel at the National Retail Federation. "Imagine putting up burglar alarms in your house. You have one sort of protection for the doors when they open and a second sort of protection for the windows. Why would you say, well, this one works differently, so I'm not going to alarm the windows? If you want security, you've got to have a whole system. It's got to be PIN and chip. And I'm just flummoxed as to why anyone thinks otherwise."
Mulligan said Target tried to adopt chip technology with its store cards more than a decade ago, but that the effort needs to be matched by others in the industry.
"We put guest payment devices, as we call them, in our stores to read chips. We introduced a new payment card, a Target Visa card with a chip in it," he said at a Senate Judiciary Committee hearing on Tuesday. "But without broad adoption, there isn't significant benefits for consumers."
Some lawmakers questioned whether it would be prudent to legislate improved standards without mandating specific technologies, which could quickly become outdated given the current pace of innovation in the financial services arena.
"I see several of you caution against adopting a similar standard by law that would lock in any specific technology. However, even if we do not adopt a federal legal standard that favors one technology over another, couldn't we still have a standard based on performance?" said Sen. Robert Menendez, D-N.J. "In other words, at what point should it be considered a reasonable security risk for a company not to be using chip-and-PIN technology or something that performs equivalently?"
Fran Rosch, a senior vice president at Symantec, added that the debate over EMV cards gets at "just one kind of potential breach point."
"What companies really need to do is look at very layered securities, at every part of their ecosystems, and ensuring good basics like putting stronger authentication in place so bad people can't get into the networks, and so their companies can start laying the foundation for this threat," he said.
Sen. Mark Warner, D-Va., meanwhile, warned that fraud activity could spread more widely to online sales with the advent of chip-and-PIN technology in the U.S.
"I'm very supportive of moving toward chip and PIN. I would only point out as I dug into the data on the U.K. when we saw chip and PIN and face-to-face-transaction fraud drop dramatically it was like squeezing a balloon," he said. "And you saw online fraud in the U.K. shoot up I think something like 30%."
Added protections may be needed for debit cards
Lawmakers also asked witnesses whether additional security standards are needed for debit cards, as well as credit cards.
"And, you know, I think again about the fact that where the growth in debit cards is coming is younger folks and the underbanked community who potentially are the most vulnerable if they don't have these protections," Warner said. "It would seem to me that equalizing cards on the same standard makes common sense too."
Reuter, representing the ABA, downplayed the need for congressional action on the issue, saying that banks were already doing enough to protect consumers using debit cards.
"I believe that from the legislative perspective, the way we're all performing as banks, I'm not sure additional legislation is needed, because we are adhering to a zero-liability policy as a matter of our business practice," he said.
Consumer advocates shot back, arguing that more could be done to protect consumers in the case of debit card fraud.
"The issue here is that zero liability may not occur in all circumstances. It may only apply to signature transactions, not to PIN-based transactions," said Edmund Mierwinski, consumer program director at PIRG. "And also I would look at the zero-liability contract and say, what if I had two violations in a year, do they honor the second one? Because some banks don't."
Delara Derakhshani, policy counsel for Consumers Union, added that fraudulent charges can also trigger additional fees for consumers.
"While consumers might not ultimately be held responsible if someone steals their debit card data or PIN number, data thieves can still empty out a consumer's bank account and set off a cascade of bounced checks and late fees, which victims will have to settle down the road," she said.
Consumer notification remains a problem
Lawmakers also raised concerns about the need for federal consumer notification standards in the wake of data breaches.
Sen. Diane Feinstein, D-Calif., who said she shops at Neiman Marcus, pressed the retail executives about their processes for telling customers about a breach.
Kingston said the Neiman Marcus notified both in-store and online consumers in mid-January, extending the effort beyond the estimated 1.1 million affected customers. But Mulligan, Target's CFO, said that considering the extent of the breach, the retailer opted for a public disclosure campaign for customers without an email address on file with the news appearing on the front page of major newspapers.
"For those guests which we had email addresses for, we notified them by email," Mulligan said. "But given the scope, we thought it appropriate that broad disclosure was the best path to go, and so we had very broad disclosure through the media, on our website, through social media, a multitude of channels."
Feinstein, a longtime advocate for federal notification standards, argued that such measures are insufficient for letting customers know about the possible vulnerabilities to their information.
"Here's the problem with that. The public notification is always vague. It is sort of nonspecific. You really don't know," she said. "And then you find out kind of brutally in other ways if you have money missing."
Several lawmakers, including Sen. Patrick Leahy, D-Vt., chairman of the Judiciary Committee, referenced proposals for legislation to beef up data security standards and consumer notification, though it's unclear if momentum will coalesce around any one bill. In the meantime, lawmakers urged the industries involved in the breach to beef up their efforts to protect against cybercrime.
"I think that the industry, or maybe I should say industries, have a lot of soul searching to do about whether they've been protective of consumer information," said Sen. Blumenthal, D-Conn. "Because, as we know, you can apprehend, investigate, prosecute criminals, but rarely does that compensate [consumers] when they are victims of identity theft."
The next round of hearings on the issue will take place later this week. The House Energy and Commerce Committee will pick up the debate with a hearing on Wednesday while the Senate Banking Committee will address concerns about data security and financial stability with top banking regulators on Thursday.