WASHINGTON — Rep. Darrell Issa (R., Calif.), chairman of the House Committee on Oversight and Government Reform, is seeking detailed documents and communications from Target Corp. as the panel investigates how and when the retailer learned of a massive data security breach and the length of time it took to notify consumers their sensitive financial information had potentially been compromised.
Issa sent a letter to Gregg Steinhafel, Target’s chairman, president and chief executive officer, asking the company to submit by March 10 all internal documents and communications from Nov. 1 to Dec. 13 relating to any “suspicion” of a data breach.
“Recent major data breaches at several U.S. retailers have called into question the adequacy of our data security regulatory regime,” Issa wrote in the letter, which was dated Monday but made public on Tuesday. “The committee is specifically concerned that current data breach notification requirements may fail to provide consumers with timely warning and sufficient notice that their private information may be at risk.”
A Target spokeswoman acknowledged the letter and said via e-mail: “We appreciate chairman Issa’s interest, are in contact with his office and look forward to continuing to work with him and other members of Congress.”
Target reported its breach in December and initially said it affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.
In testimony before two Congressional committees this month, John J. Mulligan, executive vice president and chief financial officer at Target, outlined Dec. 12 to Dec. 19 as the time line it took Target to identify and neutralize malware that was used in the data security breach to the first notification to its customers.
Mulligan told lawmakers at those hearings that a national federal breach notification standard would be better than a current patchwork of state laws. He also defended Target’s broad public disclosure on Dec. 19, explaining that it was in line with the “majority of state statutes.”