WASHINGTON — A Target executive told a Congressional panel Wednesday that a national federal breach-notification standard would be better than a patchwork of state laws that retailers must meet when data security breaches are discovered and consumer financial and personal data are compromised.
Target Corp. and Neiman Marcus Group executives testified before a House Energy and Commerce subcommittee on cyber crime and consumer data protection — marking the second hearing in two days — as lawmakers in both chambers explore ways to craft legislation to combat cyber crime and develop national standards and a uniform data-breach notification requirement.
Illinois Attorney General Lisa Madigan criticized the security systems of U.S. companies and their ability to protect consumer data in her testimony before the panel, and noted that her office has joined that of Connecticut Attorney General George Jepsen in launching a multistate investigation into the data breaches at Target, Neiman Marcus and Michaels Stores.
Lawmakers are probing how the data security breaches at Target and Neiman Marcus happened, whether the companies notified the public quickly enough about compromised personal information and payment cards, and whether federal legislation should be devised to create national standards and strengthen enforcement of data security breaches in the private sector.
Rep. Gus Bilirakis (R-Fla.) asked executives from both retailers whether they supported a national standard on security-breach notification, which was at the heart of the two days of Congressional hearings.
“Given that [46 states and the District of Columbia] in the U.S. and its territories have developed data-breach notification laws with different requirements — standards of harm and definitions of personally identifiable information — do you or your companies find it difficult to navigate through very different standards?” Bilirakis asked.
“It’s my understanding the majority of the [state] statutes provide for broad public disclosure and we provided broad public disclosure on Dec. 19,” said John J. Mulligan, Target’s executive vice president and chief financial officer, noting that the company disclosed the breach in major newspapers and also provided notices via e-mail to 17 million of its customers.
Target reported the breach in December, which it initially said affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.
“Certainly one standard would be easier to follow than 47, but we complied with all 47 state statutes,” Mulligan said.
Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus, said he didn’t have an “opinion” on a national standard but warned that any legislation should be “flexible” as merchants try to defend against highly sophisticated malware attacks.
“I would say that it’s important there be flexibility with whatever [legislative] standards we have because I do think these investigations, these events are different and on a case-by-case basis need to be handled differently,” he said.
Neiman Marcus Group Ltd. LLC disclosed its data security breach on Jan. 10, reporting that 1.1 million payment cards may have been compromised.
The National Retail Federation has said it supports a uniform federal breach notification law that preempts the current state laws.
“There is currently no comprehensive federal law that requires companies to protect consumer or user data,” said Rep. Jan Schakowsky (D-Ill.). “Nor is there a federal requirement that companies inform their customers in the event of a data breach.…I believe it is critical that this subcommittee move forward with legislation that will ensure that best practices are followed at all retailers and that consumers are informed as soon as possible after cyber theft is discovered.
Rep. Lee Terry (R-Neb.), chairman of the Subcommittee on Commerce, Manufacturing and Trade, said he is working on legislation that would “foster quicker notification [by businesses] by replacing the multiple — and sometimes conflicting — state notification regimes with a single, uniform federal breach-notification regime.”
Edith Ramirez, chairwoman of the Federal Trade Commission, testified that the FTC wants legislation that strengthens its existing authority over data security standards, gives the FTC the ability to seek civil penalties to deter unlawful conduct and requires companies to provide notification to consumers when there is a security breach.
“Never has the need for legislation been greater,” she said. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act.”
Breaking News: @louisvuitton's men's artistic director @mrkimjones is leaving the French fashion house after nearly 7 years. Jones joined Louis Vuitton in 2011, following a three year tenure as creative director of British luxury goods brand Alfred Dunhill. Jones is to exit Louis Vuitton after showing his fall 2018 collection for the brand in Paris on Thursday. Read the full exclusive story on WWD.com. Link in bio. #wwdnews #wwdfashion
For men’s fall 2018, @giuseppezanotti drew on elements from streetwear, sport, biker, combat and rock ‘n’ roll. Pictured here are a pair of shoes from the collection, featuring zippers, rhinestones, and silver hardware. Head to WWD.com to see a roundup of the accessories from Milan’s men’s fall 2018 shows. #wwdfashion (📷: Andrea Delb)
To celebrate the 25th anniversary of @ralphlauren’s snowboarding collection, the brand is mining its archives. The iconic brand is reintroducing vintage styles and dropping new designs for a color capsule that will be available in Ralph Lauren stores and @openingceremony on January 25. The capsule will consist of 10 pieces, including the Snow Beach Pullover, pictured here, which is a collector’s item that rapper Raekwon wore in Wu-Tang Clan’s “Can It Be All So Simple” video. #wwdfashion (📷: Tom Gould)
For @rochasofficial’s pre-fall 2018 collection, creative director Alessandro Dell’Acqua channeled the sophisticated and intriguing Catherine Denevue in the film “Belle de Jour.” Polished collarless coats, midi skirts, suits and ’60s graphic motifs were all featured in the collection, adding a sense of discreet luxury. See the rest of the photos on WWD.com #wwdfashion
“We tried to produce clothing of that couture quality, but the most daunting part was that we only had a matter of days [to do it],” said costume designer Lou Eyrich, who recreated Gianni Versace’s iconic looks for @americancrimestoryfx. Eyrich searched online retailers and vintage shops for original pieces from the design house and for @penelopecruzoficial, who plays Donatella Versace. Head to WWD.com to read how she created the Versace world. #wwdfashion
Only three months after her stellar debut catwalk season, @kaiagerber has inked her first big design collaboration –– with @karllagerfeld. The collection blends Lagerfeld’s Parisian chic aesthetic and the model’s signature West Coast casual style via RTW, accessories, footwear and more. The #KarlLagerfeldxKaia collection will launch in September with a series of events. Get all the details on WWD.com. #wwdnews #wwdfashion
Harrods plans to remove the famous statue of Princess Diana and Dodi Al Fayed from the bottom of the Egyptian escalators and hand it back to Mohamed Al-Fayed. “We are very proud to have played our role in celebrating the lives of Diana, Princess of Wales and Dodi Al Fayed at Harrods and to have welcomed people from around the world to visit the memorial for the past 20 years,” said Michael Ward, Harrods managing director. “With the announcement of the new official memorial statue to Diana, Princess of Wales at Kensington Palace, we feel that the time is right to return this memorial to Mr. Al Fayed and for the public to be invited to pay their respects at the palace.” More on the news, with reporting by @loreleimarfil, at WWD.com. #wwdnews