Senator: New cybersecurity regulations needed for banks
- 22 June, 2011 04:26
- Comments
Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday.
Senator Robert Menendez, a New Jersey Democrat, questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Menendez said.
The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said during a Senate Banking, Housing and Urban Affairs Committee hearing.
Citigroup did not testify at the hearing, and a company representative did not immediately return a phone message seeking comment on Menendez's criticism. But Leigh Williams, president of the BITS division of The Financial Services Roundtable, said he has "no doubt" that banks and other financial services companies have a responsibility to notify customers of breaches.
"Do you think a month to notify customers is an appropriate time frame?" Menendez asked.
"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams said.
The banking industry is "constantly" improving its cybersecurity efforts, Williams said.
In the past six years, U.S. financial services companies have reported 288 data breaches, with 83 million records compromised, Menendez said. He questioned whether banks were doing enough to protect their customer accounts.
Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers.
Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships.
But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law. Rotenberg questioned Williams' assurances that financial institutions are serious about cybersecurity.
"The experience of consumers today is actually very different," Rotenberg said. "It may be the case that financial institutions are spending a lot of money to safeguard this data, but what consumers are seeing is more and more breaches. We have a problem, and this problem is getting worse."
Existing regulations may not help small banks better protect data, because of limited resources, added Kevin Streff, director of the National Center for Protection of Financial Infrastructure at Dakota State University in Madison, South Dakota.
Small banks and small businesses are the "soft underbelly of underprotected targets," he said. About 70 percent of small and medium-sized businesses lack basic cybersecurity controls, Streff added.
Small banks can't afford to pay "six-figure salaries" to IT security professionals and often add cybersecurity responsibilities to a staff member's duties, Streff said. The U.S. government can help by providing funding for training for cybersecurity professionals, he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.
Related Articles
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Spiceworks' free management software gets integrated MDM
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Clearing the Clouds for Midmarket Businesses
Cloud computing promises to help midmarket companies reduce cost and complexity in the IT equation – and gain the flexibility and agility they need to thrive. Yet charting a clear course to the cloud isn’t always easy. In this paper, we aim to clear the clouds. We examine different cloud computing models, discuss the types of requirements that each can best address, and consider what midmarket businesses should look for in a cloud solutions provider. -
Best Practice in BYOD
The key trend affecting enterprise mobility today can be summarized in four letters: BYOD – Bring Your Own Device. As the number of end-users bringing devices into your organization grows, so does the need for an effective Enterprise Mobility Management (EMM) solution. Learn how to manage devices across multiple platforms all from a single, centralised and unified management console. Download for more! -
Pathways Advanced ICT Leadership Development Program Course Outline and Big 6 2013
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
Get exclusive access to Invitation only events CIO, reports & analysis. 
