Target's data breach sparks calls for action

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://thehill.com/blogs/hillicon-valley/technology/194414-targets-data-breach-sparks-calls-for-fed-action

The government is facing increased pressure to institute data security
protections after the high-profile breaches of Target and social networking
app Snapchat.

While some argue that the companies’ security standards are ripe for an
investigation from the Federal Trade Commission (FTC) — which has brought
data security cases as part of its mission to protect consumers from
deceptive business practices — the agency’s ability to intervene is
anything but certain.

Cases currently making their way through the court system could settle
whether the FTC has the authority to get involved, but many hope that
Congress will step in to clarify the commission’s powers once and for all.

Sen. Richard Blumenthal (D-Conn.) warned of the “incalculable harm to
consumers” that can come from the types of data breaches like the one
suffered by Target late last year.

After the Target breach was made public, Blumenthal urged the FTC to
investigate the company’s security practices.

“Customers of companies have a right to expect that their private
information will be properly safeguarded and secured,” he told The Hill on
Friday. “The failure to take those steps is not only a violation of trust
but also potentially of law."

Over the last decade, the FTC has brought dozens of cases against companies
for failing to safeguard consumers’ data.

According to the commission, companies have a responsibility to live up to
their promises about data security. Allowing firms to be hacked, regulators
have said, is a breach of trust and a violation of companies’ pledges.

But not everyone agrees that the FTC is in the right.

The hotel and resort company Wyndham Worldwide and medical testing company
LabMD are both suing the agency, challenging its authority to bring data
security cases.

Reed Rubinstein, senior vice president at Cause of Action, which is
representing LabMD in its case against the agency, said that the FTC does
not have the legal authority to penalize companies who have suffered data
breaches.

Section 5 of the FTC Act — which the agency cites when defending its
authority in this area — “is absolutely silent on data security,” he said.
“It’s very hard to understand how the FTC lawfully gives itself this
authority.”

If the FTC wants the authority to bring data breach penalties, he said it
needs to give better guidance on what companies should do to protect
consumer data.

Critics say that the FTC’s practice amounts to penalizing companies that
are themselves victims.

“Should the primary function of the U.S. government to be to come in and
attack Target, which was the victim of this hack, or should the primary
function of the U.S. government to be to turn around and ask the question
of where the hack came from?” said Jeffrey Eisenach, a former FTC official
who is now a visiting scholar at the American Enterprise Institute.

“What is it we’re doing with all of the resources available to us to stop
Target from being hacked and the next Target and the next Target and the
next Target in the future?”

Some privacy advocates say Congress needs to get involved to clear up any
ambiguity about the FTC’s power to hold companies to high cybersecurity
standards.

Blumenthal said that he would “consider drafting and introducing new
legislative authority to keep pace with advancing technology, even though I
believe that consumers have a right under existing law to expect companies
to safeguard their data.”

In a statement, Sen. Ed Markey (D-Mass.) called on Congress to act in the
wake of breaches that have “put millions of consumers at risk for identity
theft and damaging fraud.”

He said Congress should “hold hearings on these serious breaches to
determine what companies are doing to fix their security weaknesses
exploited by data thieves and the steps consumers can take to protect their
sensitive information."

Democratic Sens. Robert Menendez (N.J.), Chuck Schumer (N.Y.) and Mark
Warner (Va.) have also called for a hearing on the Target breach.

FTC Commissioner Maureen Ohlhausen said the recent high-profile breaches
could fuel a national conversation.

“Any time that there is a data breach from a well-known company that
impacts a lot of consumers, it brings more attention and more energy to the
issue,” the Republican commissioner said.

“With Target being so well known and the number of consumers that can
possibly be affected [being so high], it certainly has gotten lots of
attention, including Congressional attention.”

Data security “seems to have the level of bipartisan interest that would
help” get a bill passed in Congress, she added.

 Ohlhausen supports a federal data breach and notification law — especially
if the FTC loses either of the cases challenging its authority — but
defends the agency’s authority to bring cases against companies that fail
to protect their users’ data.

“A uniform federal law for data security and breach notification would make
sense” to give consumers consistent protection and to give businesses one
set of guidance “rather than a patchwork of state laws,” she said, speaking
broadly about data security and not about specific pending litigation.

High-profile breaches like Target’s mean that “everyone is going to feel
this,” according to Ross Schulman, public policy and regulatory counsel at
the Computer and Communications Industry Association. That can help move
the ball forward in the ongoing debate.

Schulman’s group — which includes Google, Facebook and Microsoft — recently
released polling data which found that 75 percent of Internet users are
worried about their information being stolen through security breaches, and
74 percent think the federal government should do more to protect against
identity theft made possibly by those breaches.

Ohlhausen defended the FTC against critics who say the agency hasn’t
provided guidance on data security requirements.

The agency has provided “a fair amount of guidance in this area through our
enforcement and our educational efforts,” she said, pointing to published
guides and past data security actions brought by the FTC.

“Everybody is better off … if we give a clear idea of where the lines are
and let companies know.”

Analysts on both sides of the issue agree that government officials should
be chasing hackers and that companies should have some base level of
responsibility to safeguard consumers.

But privacy advocates say the FTC has a responsibility to act where it can.

“They can’t go after the Nigerian spammer or the hacker in Eastern Europe
who did this,” said Justin Brookman, head of consumer privacy at the Center
for Democracy and Technology. “On behalf of consumers, they’re saying that
failure to use reasonable security practices is unfair. It’s bad for
consumers.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.