The lack of a federal standard and internal accountability were cited as barriers to cybersecurity at a Senate hearing Wednesday.
Facing persistent interrogation from Sen. John D. Rockefeller (D., W. Va.), chairman of the U.S. Senate Committee on Commerce, Science & Transportation, Target Corp. executive vice president and chief financial officer John Mulligan acknowledged that “multiple teams” reporting to “several different executives” within the Minneapolis-based discounter’s organization bore collective responsibility for the security of consumer data collected by the store at the time of the 2013 breaches.
“That worries me,” said Rockefeller, acknowledging that Beth Jacob, Target’s former chief information officer, had been cast with much of the blame for the breach, which compromised payment card information from 40 million customers and personal data from another 70 million.
“It has to come down to a point, a source point,” Rockefeller shot back, “and I think it has to be the board of directors and the chief executive officer. And then you can scatter responsibility however you want to.”
Mulligan outlined steps taken by Target since discovery and revelation of the breach on Dec. 19. It’s accelerated its $100 million investment in chip and PIN technology, aiming to get 10,000 guest payment devices into stores by September, six months earlier than originally planned, and begin rolling out chip-laden cards to consumers early next year.
Among the steps taken to prevent a recurrence of a breach, Mulligan said Target had fortified its antivirus and antimalware protections by speeding up the installation of “whitelisting” software, which weeds out all but desired programs, on its registers.
Ellen Richey, chief enterprise risk officer for Visa Inc., said she was encouraged by the growing acceptance of the chip-and-PIN system brought on by the breach at Target, Neiman Marcus and other stores. With liability for such breaches set to shift in October 2015 from financial institutions to merchants, she said she was “hopeful” for substantial adoption in the months ahead.
Enforcing cyber-breach laws and punishing violators has been complicated by a patchwork of state regulations. Asked if a federal law, like the statute introduced by Rockefeller, would be preferable to the current system, all six witnesses at the hearing agreed it would be. In addition to Mulligan, Richey and Edith Ramirez, chairwoman of the Federal Trade Commission, the speakers were David Wagner, president of Entrust Inc.; Peter Beshar, executive vice president and general counsel of Marsh & McLennan, and Wallac Loh, president of the University of Maryland, which recently experienced a data breach of its own.
Rockefeller noted that executives from social media application Snapchat, another recent breach target, had been invited to testify but declined.
“My instincts, which may be skewed, are nevertheless that they’re hiding something,” Rockefeller said.