Senator: New cybersecurity regulations needed for banks
- 22 June, 2011 04:26
Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday.
Senator Robert Menendez, a New Jersey Democrat, questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Menendez said.
The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said during a Senate Banking, Housing and Urban Affairs Committee hearing.
Citigroup did not testify at the hearing, and a company representative did not immediately return a phone message seeking comment on Menendez's criticism. But Leigh Williams, president of the BITS division of The Financial Services Roundtable, said he has "no doubt" that banks and other financial services companies have a responsibility to notify customers of breaches.
"Do you think a month to notify customers is an appropriate time frame?" Menendez asked.
"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams said.
The banking industry is "constantly" improving its cybersecurity efforts, Williams said.
In the past six years, U.S. financial services companies have reported 288 data breaches, with 83 million records compromised, Menendez said. He questioned whether banks were doing enough to protect their customer accounts.
Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers.
Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships.
But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law. Rotenberg questioned Williams' assurances that financial institutions are serious about cybersecurity.
"The experience of consumers today is actually very different," Rotenberg said. "It may be the case that financial institutions are spending a lot of money to safeguard this data, but what consumers are seeing is more and more breaches. We have a problem, and this problem is getting worse."
Existing regulations may not help small banks better protect data, because of limited resources, added Kevin Streff, director of the National Center for Protection of Financial Infrastructure at Dakota State University in Madison, South Dakota.
Small banks and small businesses are the "soft underbelly of underprotected targets," he said. About 70 percent of small and medium-sized businesses lack basic cybersecurity controls, Streff added.
Small banks can't afford to pay "six-figure salaries" to IT security professionals and often add cybersecurity responsibilities to a staff member's duties, Streff said. The U.S. government can help by providing funding for training for cybersecurity professionals, he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- OAIC releases privacy impact assessment guide for consultation
- Some Australian businesses 'unlikely' to be ready for Privacy Act changes: survey
- BYOA 'shadow IT' grows in the enterprise: Telsyte
- Cost of a Privacy Act breach could extend to ongoing audits: legal expert
- How Hunter Water is saving $50k a year in software licences
Trust issue looms large for tech companies capitalizing on personal data
5 women who've made it in IT
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Bell Gully Law Firm Success
Read this whitepaper to find out how one of New Zealand’s oldest leading law firms was able to remove tangible risk to the business and enhance productivity by rapidly deploying an improved fundamental Unified Communication solution.
Case Study: Columbia Sportswear
With the agility and intelligence provided by their management tools, Columbia sportswear is transforming IT to be much more service oriented in fulfilling business requests and delivering resources as needed. It’s allowing IT to “never say no” with an infrastructure that can handle nearly any project that comes through the door.
Evolving Threats Demand New Approaches to Security
As the world becomes increasingly hyperconnected, the opportunities for innovation are virtually limitless. At the same time, the complexity and risk associated with those opportunities is great. Security threats have the potential for enormous ramifications, but so does deploying a security strategy that compromises the user experience, performance, and the ability to innovate online. This paper will profile the emerging disruptive players, and identifies the essential steps to establishing a secure environment without compromising performance or experience.