Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Senator: New cybersecurity regulations needed for banks

Menendez questions whether financial institutions are promptly notifying customers of breaches

Current regulations aren't enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday.

Senator Robert Menendez, a New Jersey Democrat, questioned why Citigroup took about a month to report a breach affecting more than 360,000 credit card accounts in North America. Citigroup, which confirmed the breach in early June, never notified Menendez's chief of staff that his account was compromised, Menendez said.

The staffer attempted to use his credit card and was declined, then called Citigroup to discover his account was hacked, Menendez said. "It seems to me there is a fiduciary responsibility by the [financial] entity to proactively tell their customer that has happened," he said during a Senate Banking, Housing and Urban Affairs Committee hearing.

Citigroup did not testify at the hearing, and a company representative did not immediately return a phone message seeking comment on Menendez's criticism. But Leigh Williams, president of the BITS division of The Financial Services Roundtable, said he has "no doubt" that banks and other financial services companies have a responsibility to notify customers of breaches.

"Do you think a month to notify customers is an appropriate time frame?" Menendez asked.

"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams said.

The banking industry is "constantly" improving its cybersecurity efforts, Williams said.

In the past six years, U.S. financial services companies have reported 288 data breaches, with 83 million records compromised, Menendez said. He questioned whether banks were doing enough to protect their customer accounts.

Menendez called for a national law requiring breached businesses to notify affected customers. More than 45 states have breach notification laws, making it difficult for businesses to comply with all of them, said Stuart Pratt, president and CEO of the Consumer Data Industry Association, a trade group representing data brokers.

Menendez also called on the Senate to pass his Cybersecurity Enhancement Act, which would allocate new money for cybersecurity research and scholarships.

But Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), warned lawmakers to avoid preempting strong state laws with a weak federal data-breach notification law. Rotenberg questioned Williams' assurances that financial institutions are serious about cybersecurity.

"The experience of consumers today is actually very different," Rotenberg said. "It may be the case that financial institutions are spending a lot of money to safeguard this data, but what consumers are seeing is more and more breaches. We have a problem, and this problem is getting worse."

Existing regulations may not help small banks better protect data, because of limited resources, added Kevin Streff, director of the National Center for Protection of Financial Infrastructure at Dakota State University in Madison, South Dakota.

Small banks and small businesses are the "soft underbelly of underprotected targets," he said. About 70 percent of small and medium-sized businesses lack basic cybersecurity controls, Streff added.

Small banks can't afford to pay "six-figure salaries" to IT security professionals and often add cybersecurity responsibilities to a staff member's duties, Streff said. The U.S. government can help by providing funding for training for cybersecurity professionals, he said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Electronic Privacy Information Center, Financial Services Roundtable, IDG
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: citigroup, Consumer Data Industry Association, Dakota State University, data breach, Electronic Privacy Information Center, finance, government, Housing and Urban Affairs Committee, Identity fraud / theft, industry verticals, Kevin Streff, legislation, Leigh Williams, Marc Rotenberg, Regulation, Robert Menendez, security, Stuart Pratt, The Financial Services Roundtable, U.S. Senate Banking
Latest Blog Posts
Whitepapers
  • Essar Group - Essar Group executives enjoy printing on the move
    Essar Group’s senior management are constantly on the road. So it’s not surprising that the company has become a heavy user of mobile computing solutions to enable them to get their job done. The mobility and productivity of executives; enable them to easily print documents from any company location to any company printer using their smartphone. Read more.
    Learn more »
  • Lost USB keys have 66% chance of malware
    Sophos studied 50 USB keys bought at RailCorp's 2011 Lost Property auction in Sydney. The study revealed that two-thirds were infected by malware, and quickly uncovered information about many of the former owners of the devices, their family, friends and colleagues. Disturbingly, none of the owners had used any sort of encryption to secure their files against unauthorised snoopers.
    Learn more »
  • HP ePrint Enterprise mobile printing solution
    The merger of mobile devices and cloud services has become one of the most significant enablers of business productivity and innovation in the past decade. We now hold the power of communicating and computing in the palms of our hands, nearly anywhere business or life takes us. However, one key business process has eluded the mobility movement: printing. Even the most technically enabled business travelers find themselves hunting down print services while on the road and interrupting IT managers when visiting a branch office simply to print a document. But finally, a truly mobile print experience is available—helping enterprises to drive business productivity further. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments