On Wednesday, the Senate Commerce Committee held a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.”  With recent high-profile breaches, and White House officials just this week telling industry executives that federal authorities notified more than 3,000 companies of cyber attacks last year, data security continues to attract the attention of lawmakers.  Specifically, the hearing follows data-breach legislation introduced in January by Chairman John D. Rockefeller IV (D-WV), which parallels at least four other similar bills recently proposed in the Senate.  Last month, several congressional committees held hearings on the topic of cyber security and data breach, dedicating almost an entire week to the issue.

Ahead of the hearing, Chairman Rockefeller released a majority staff report analyzing the Target data breach by applying the widely used “intrusion kill chain” analytic framework.  The kill-chain doctrine illustrates how cyber threats, viewed as a progressive campaign involving a number of distinct intrusion points, can be combated by disrupting different phases of the attack chain.  Appearing in the Senate for the second time this year after discussing his company’s data breach with the Judiciary Committee last month, Target’s Chief Financial Officer John Mulligan testified at the hearing.  The single panel also included witnesses from the government and public and private sectors, including the Federal Trade Commission, Visa, and the University of Maryland, which recently suffered two data breaches. 

While Mr. Mulligan spent some time discussing the particulars of Target’s data breach and response efforts, the hearing primarily addressed industry-wide prevention and enforcement possibilities.  Committee members examined the following principal points.

  • Senator Claire McCaskill (D-MO) focused on the need to incentivize businesses to engage in better data protection, but suggested that much of the cost associated with a data breach falls not on a company like Target, but on credit unions and local banks.  Finding it “important that the risk is borne by those who must engage in the activity to protect,” Senator McCaskill noted that there is less incentive to protect if the risk is low.  Senator McCaskill therefore requested clarity on where the risk actually falls so that Congress can properly align incentives in the free market, which she thinks is more effective in controlling business practices than the government.
  • Senator Amy Klobuchar (D-MN) also examined breach prevention, by posing the question of whether the U.S. is finally positioned to adopt chip-and-PIN technology along with the rest of the world.  Taking this global perspective, Senator Klobuchar also suggested the need for the federal government to seek out international partnerships on this issue, particularly for law enforcement, since it is often foreign actors who wage cyber attacks.
  • Senator John Thune (R-SD) discussed the possibility of a single federal data-breach standard and the value of federal preemption.  With regard to enforcement power over such comprehensive federal legislation, Senator Thune raised concerns about the perceived lack of guidance on how the FTC evaluates “unfairness” under its Section 5 authority.
  • Senator Mark Pryor (D-AR) likewise focused on the FTC’s enforcement processes and inquired whether the FTC operates on a case-by-case, ad hoc basis or through formal procedures.  Replying to FTC Commissioner Edith Ramirez’s answer that, on data-breach matters the FTC normally takes action in conjunction with a specific investigation, Senator Pryor recommended that the FTC adopt a task-force model, whereby regular meetings with key stakeholders explore preventative solutions before security incidents begin. 

In response to a question from Senator Roy Blunt (R-MO) about whether a uniform national standard would benefit consumers, all witnesses said they supported a federal data-breach regime, including requirements for breach notification.  Currently, data breach is governed by a patchwork quilt of state laws, all of which would be preempted by Chairman Rockefeller’s proposed bill, as well as other bills recently proposed.  Ms. Ramirez expressed agreement that, so long as a federal law imposes sufficiently strong standards, it should preempt existing state laws.  Ellen Richey, Chief Enterprise Risk Officer at Visa, added that a federal standard would “ease the way” so that businesses could get notification out faster and focus on consumers rather than parsing through varied state obligations.