Target’s (NYSE:TGT) large-scale data breach that compromised credit and debit card data for up to 40 million people and personal data for up to 70 million customers is now paving the way for how companies will be required to notify their customers when they realize they’ve suffered a security lapse. According to CBS News, Attorney General Eric Holder on Monday urged Congress to create “a strong national standard” for how companies and retailers must quickly alert their customers when a data breach is discovered.
In December, Target notifyed those suspected to be affected by its breach by making a mass-scale public announcement, sending emails, posting notices, and enlisting social media to spread the news, but Sen. Dianne Feinstein (D-Calif.) was not satisfied with the retailer’s notification strategies and said: “I believe if someone uses their credit at your institution and their data is breached they should be notified. Public notification is vague — you really don’t know.”
Shortly after Target made its data breach public, Neiman Marcus admitted to similar complications in December, saying account information from transactions in 77 of its 85 stores between July and October were potentially exposed to the malware. Consumers were shocked when they were notified so late, and many believed that if it wasn’t for Target, Neiman Marcus never would have reported any cyberattack at all — all problems that led Holder to call on Congress this week for new rules requiring immediate notification.
CBS News reports that the attorney general believes better notification would allow Americans to protect themselves should they suffer vulnerability to a theft. He also said, “It would enable law enforcement to better investigate these crimes — and hold compromised entities accountable when they fail to keep sensitive information safe.”
Target and Neiman Marcus took the trip out to Washington earlier this month to testify about their own respective data breaches and inform the Senate Judiciary Committee how they believe they were attacked and what steps they plan to take to prevent future invasions.
Per CBS News, Target now believes that one of its vendors, a refrigeration contractor based in Pennsylvania, was the vehicle its intruder accessed to place malware on its point of sales registers. Target Executive Vice President and Chief Financial Officer John Mulligan explained that an intruder stole Fazio Mechanical Services’s credentials to access Target’s computer system and placed the malware that was able to steal payment card data from magnetic stripes on credit and debit cards prior to encryption.
Unlike Neiman Marcus, Target notified its customers almost immediately, sending out mass warnings on December 19 — the breach was believed to have occurred between November 28 and December 15 — but as noted earlier, some officials are still unsatisfied with the retailer’s public notification procedure, believing that in this case, private notification would have been more appropriate.
Now, those in Washington are ready to create a better national standard for how consumers are notified, especially considering Neiman Marcus never really did much notifying at all. According to CBS News, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have all secured legislation requiring entities to notify individuals of security breaches of information, but laws vary from state to state, leading to the discontinuities we are now experiencing. Holden believes new legislation would not only better protect individuals but also bolster the Justice Department’s ability to combat crime.